From owner-freebsd-security  Mon Nov 30 11:17:56 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA00590
          for freebsd-security-outgoing; Mon, 30 Nov 1998 11:17:56 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from gilberto.physik.RWTH-Aachen.DE (gilberto.physik.rwth-aachen.de [137.226.30.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA00585
          for <freebsd-security@FreeBSD.ORG>; Mon, 30 Nov 1998 11:17:54 -0800 (PST)
          (envelope-from kuku@gilberto.physik.RWTH-Aachen.DE)
Received: (from kuku@localhost)
	by gilberto.physik.RWTH-Aachen.DE (8.8.8/8.8.7) id UAA12899;
	Mon, 30 Nov 1998 20:17:45 +0100 (MET)
	(envelope-from kuku)
Message-ID: <19981130201745.A12844@gil.physik.rwth-aachen.de>
Date: Mon, 30 Nov 1998 20:17:45 +0100
From: Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE>
To: David B Swann <swann@nosc.mil>,
        Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: cgi-bin/phf* security hole in apache
References: <199811261619.RAA25745@gilberto.physik.RWTH-Aachen.DE> <Pine.SUN.3.95q.981130124025.15846A-100000@anubis.nosc.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.91
In-Reply-To: <Pine.SUN.3.95q.981130124025.15846A-100000@anubis.nosc.mil>; from David B Swann on Mon, Nov 30, 1998 at 12:46:18PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Nov 30, 1998 at 12:46:18PM -0500, David B Swann wrote:
> The phf security hole allowed remote users to execute commands running as
> the same ID as the web server.  If your web server runs as root, as many
> systems do, they could execute commands as root on your system.  You
> should NEVER run a web server as root, IMHO.

Well, I was relying on the way it is installed under FreeBSD
and I believe it *is* started as root, though I assume it forks/execs
under uid nobody. At least the 1.3 version of apache.

> 
> I had people from Italy, Russia, and the US download my password file
> using this exploit.  They also tried other things like running the ps
> command.  I assume they were trying to determine the ID that the web
> server was running.  A few other things failed to work, but I only got
> error messages in the log file.  I don't know WHAT they actually tried.
> Since I was using shadow password files, I feel safe that they could not
> crack a password.
> 
> I've used this exploit to go THROUGH a firewal and download a password
> file from a system.  This was at the remote site's request though.
> 
-- 
Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message