Re: NCSA httpd again: CGI scripts and log file descriptors (fwd)

[Brian Behlendorf <br...@organic.com>]

So I forget - did we ever get around to deciding what to do about this?  
Is this still in apache?

	Brian


---------- Forwarded message ----------
Date: Thu, 4 May 1995 10:14:29 -0700 (PDT)
From: Paul Phillips <pa...@cerf.net>
To: Prentiss Riddle <ri...@is.rice.edu>
Cc: www-security@ns2.rutgers.edu, httpd@ncsa.uiuc.edu
Subject: Re: NCSA httpd again: CGI scripts and log file descriptors



On Thu, 4 May 1995, Prentiss Riddle wrote:

> Would anyone care to comment on Phillips' speculation as to whether
> this hole could do more than trash your logs?

It was pointed out that fchdir could conceivably be used to escape a 
chrooted area.  I also really don't like the idea that a CGI can log an 
arbitrary amount of false information.  Trashing the log files at least 
informs the web admin that something is up, but information warfare can 
be more dangerous than information vandalism.

> Furthermore, assuming you have tight restrictions on the CGI scripts
> you make available, is there any reason to believe that this could be
> exploited by malicious *users* (as opposed to malicious CGI authors)?

Nope, unless augmented by another hole that subverts the path translation 
mechanism in httpd to execute CGIs.

I just tested httpd1.4, the hole is still there.  I didn't receive any 
comment from NCSA when I informed them of it the first time, and I did 
describe the fix (setting the close-on-exec flag of the fds.) 

--
Paul Phillips                                 EMAIL: paulp@cerf.net  
WWW: http://www.primus.com/staff/paulp/       PHONE: (619) 220-0850