Date: Mon, 30 Nov 1998 15:31:36 -0500 (EST) From: David B Swann <swann@nosc.mil> To: Christoph Kukulies <kuku@gilberto.physik.RWTH-Aachen.DE> Cc: freebsd-security@FreeBSD.ORG Subject: Re: cgi-bin/phf* security hole in apache Message-ID: <Pine.SUN.3.95q.981130152546.25369B-100000@anubis.nosc.mil> In-Reply-To: <19981130201745.A12844@gil.physik.rwth-aachen.de>
next in thread | previous in thread | raw e-mail | index | archive | help
It's been awhile since I've played with apache, but it can run as any ID that you desire. I generally set it up to run as an ordinary user and then I don't allow that user to write to ANY of the files on the system, except my counter files and any other file that MUST be writable by the web server (like the output of a form CGI script). Also realize that an ordinary user can gather some important info about the system. The PS command can give an intruder knowledge about the processes on your system. An even the password file can give the user VALID accounts on the system. Luckily, I never saw anyone trying to exploit any of the IDs that were downloaded. I have TCP wrappers and a few other packages that I use to monitor access. __________________________________________________________________________ | Bryan Swann (swann@nosc.mil) 803/566-0086 803/554-0015 (Fax) | | Eagan McAllister Associates, Inc. | | | | "Everything must be working perfectly, cause I don't smell any smoke" | -------------------------------------------------------------------------- On Mon, 30 Nov 1998, Christoph Kukulies wrote: > On Mon, Nov 30, 1998 at 12:46:18PM -0500, David B Swann wrote: > > The phf security hole allowed remote users to execute commands running as > > the same ID as the web server. If your web server runs as root, as many > > systems do, they could execute commands as root on your system. You > > should NEVER run a web server as root, IMHO. > > Well, I was relying on the way it is installed under FreeBSD > and I believe it *is* started as root, though I assume it forks/execs > under uid nobody. At least the 1.3 version of apache. > > > > > I had people from Italy, Russia, and the US download my password file > > using this exploit. They also tried other things like running the ps > > command. I assume they were trying to determine the ID that the web > > server was running. A few other things failed to work, but I only got > > error messages in the log file. I don't know WHAT they actually tried. > > Since I was using shadow password files, I feel safe that they could not > > crack a password. > > > > I've used this exploit to go THROUGH a firewal and download a password > > file from a system. This was at the remote site's request though. > > > -- > Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SUN.3.95q.981130152546.25369B-100000>