Re: CVE request: FD leakage for cgi program on Monkey HTTPD

[John Lightsey <john () nixnuts net>]

On Fri, 2013-06-14 at 16:50 -0700, Seth Arnold wrote: 
> On Fri, Jun 14, 2013 at 04:40:29PM -0500, John Lightsey wrote:

> > I don't see how this issue is very different from CVE-2012-4442 and
> > CVE-2012-4443. Do you believe those CVEs were not appropriate?
>
> CVE-2012-4442 and CVE-2012-4443 (failure to drop supplementary gids,
> failure to drop root uid and gid when running CGIs, for those reading
> along at home) were probably appropriate for two reasons: (a) Monkey
> probably made some effort at dropping privileges and just screwed it up
> in the same way everyone else did a decade earlier (b) no one expects a
> webserver to run as root once it has bound its sockets. Even a webserver
> claimed to be "lightweight" is _expected_ to drop all the unneeded
> privileges once running.

I would argue that no one will expect that giving a user the ability to
run CGI scripts in a particular virtualhost context on the system gives
them the ability to intercept and spoof traffic for all virtualhosts on
the system.

Monkey does include virtualhost support and mentions shared hosting as
an example usage scenario in the documentation.

http://monkey-project.com/documentation/virtual_hosts

> But not all webservers are expected to try to enforce running CGIs with
> different security boundaries. Apache chose to try, and faults in their
> suEXEC ought to be allocated CVEs. I don't see anything on the Monkey
> website to document any suEXEC-alike functionality.
>
> Obviously Kurt disagreed with me and allocated a CVE :) so in some sense
> this whole discussion is now hypothetical.

Indeed. I found it very interesting that you objected. To me this seemed
to be a relatively straightforward issue. I appreciate you explaining
your reasoning in more detail.

Attachment: signature.asc
Description: This is a digitally signed message part