oss-sec mailing list archives
Re: CVE request: FD leakage for cgi program on Monkey HTTPD
From: John Lightsey <john () nixnuts net>
Date: Fri, 14 Jun 2013 23:49:48 -0500
On Fri, 2013-06-14 at 16:50 -0700, Seth Arnold wrote:
On Fri, Jun 14, 2013 at 04:40:29PM -0500, John Lightsey wrote:
I don't see how this issue is very different from CVE-2012-4442 and CVE-2012-4443. Do you believe those CVEs were not appropriate?CVE-2012-4442 and CVE-2012-4443 (failure to drop supplementary gids, failure to drop root uid and gid when running CGIs, for those reading along at home) were probably appropriate for two reasons: (a) Monkey probably made some effort at dropping privileges and just screwed it up in the same way everyone else did a decade earlier (b) no one expects a webserver to run as root once it has bound its sockets. Even a webserver claimed to be "lightweight" is _expected_ to drop all the unneeded privileges once running.
I would argue that no one will expect that giving a user the ability to run CGI scripts in a particular virtualhost context on the system gives them the ability to intercept and spoof traffic for all virtualhosts on the system. Monkey does include virtualhost support and mentions shared hosting as an example usage scenario in the documentation. http://monkey-project.com/documentation/virtual_hosts
But not all webservers are expected to try to enforce running CGIs with different security boundaries. Apache chose to try, and faults in their suEXEC ought to be allocated CVEs. I don't see anything on the Monkey website to document any suEXEC-alike functionality. Obviously Kurt disagreed with me and allocated a CVE :) so in some sense this whole discussion is now hypothetical.
Indeed. I found it very interesting that you objected. To me this seemed to be a relatively straightforward issue. I appreciate you explaining your reasoning in more detail.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- CVE request: FD leakage for cgi program on Monkey HTTPD Felipe Pena (Jun 14)
- RE: CVE request: FD leakage for cgi program on Monkey HTTPD Christey, Steven M. (Jun 14)
- Re: CVE request: FD leakage for cgi program on Monkey HTTPD Felipe Pena (Jun 14)
- Re: CVE request: FD leakage for cgi program on Monkey HTTPD Seth Arnold (Jun 14)
- Re: CVE request: FD leakage for cgi program on Monkey HTTPD John Lightsey (Jun 14)
- Re: CVE request: FD leakage for cgi program on Monkey HTTPD Seth Arnold (Jun 14)
- Re: CVE request: FD leakage for cgi program on Monkey HTTPD John Lightsey (Jun 14)
- RE: CVE request: FD leakage for cgi program on Monkey HTTPD Christey, Steven M. (Jun 14)
- Re: CVE request: FD leakage for cgi program on Monkey HTTPD Yves-Alexis Perez (Jun 14)