Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 30 Nov 1998 20:17:45 +0100
From:      Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE>
To:        David B Swann <swann@nosc.mil>, Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: cgi-bin/phf* security hole in apache
Message-ID:  <19981130201745.A12844@gil.physik.rwth-aachen.de>
In-Reply-To: <Pine.SUN.3.95q.981130124025.15846A-100000@anubis.nosc.mil>; from David B Swann on Mon, Nov 30, 1998 at 12:46:18PM -0500
References:  <199811261619.RAA25745@gilberto.physik.RWTH-Aachen.DE> <Pine.SUN.3.95q.981130124025.15846A-100000@anubis.nosc.mil>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Nov 30, 1998 at 12:46:18PM -0500, David B Swann wrote:
> The phf security hole allowed remote users to execute commands running as
> the same ID as the web server.  If your web server runs as root, as many
> systems do, they could execute commands as root on your system.  You
> should NEVER run a web server as root, IMHO.

Well, I was relying on the way it is installed under FreeBSD
and I believe it *is* started as root, though I assume it forks/execs
under uid nobody. At least the 1.3 version of apache.

> 
> I had people from Italy, Russia, and the US download my password file
> using this exploit.  They also tried other things like running the ps
> command.  I assume they were trying to determine the ID that the web
> server was running.  A few other things failed to work, but I only got
> error messages in the log file.  I don't know WHAT they actually tried.
> Since I was using shadow password files, I feel safe that they could not
> crack a password.
> 
> I've used this exploit to go THROUGH a firewal and download a password
> file from a system.  This was at the remote site's request though.
> 
-- 
Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981130201745.A12844>