Date: Thu, 20 Jun 2002 13:41:43 -0600 From: "David G . Andersen" <danderse@cs.utah.edu> To: Jeff Gentry <freebsd@hexdump.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache root exploitable? Message-ID: <20020620134143.C14099@cs.utah.edu> In-Reply-To: <20020620154453.L76822-100000@hellfire.hexdump.org>; from freebsd@hexdump.org on Thu, Jun 20, 2002 at 03:45:58PM -0400 References: <MBBBIOEFHOPIGEHFPADDAEIHCAAA.ghebion@phreaker.net> <20020620154453.L76822-100000@hellfire.hexdump.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Jeff Gentry just mooed:
> I'm a bit confused following all these messages, especially with that
> expoit script someone sent out "Apache exploitable?". Is this thing root
> exploitable? Reading the code sent out in the aforementioned thread it
> sounds as if it might be but I was not certain.
It's not _root_ exploitable unless you run Apache as root.
If you do that, you're asking for it anyway.
It may or may not be remotely exploitable. It looks a lot more
exploitable than it did a few days ago. :) Regardless, you should:
> Is there a workaround outside of closing off Apache?
Upgrade to 1.3.26 or 2.0.39.
-Dave
--
work: dga@lcs.mit.edu me: dga@pobox.com
MIT Laboratory for Computer Science http://www.angio.net/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020620134143.C14099>