Home page logo

bugtraq logo Bugtraq mailing list archives

Re: HTTPD bug
From: avalon () coombs anu edu au (Darren Reed)
Date: Mon, 17 Apr 1995 13:05:11 +1000 (EST)

In some mail from Mr Martin J Hargreaves, they said:

      I don't think this has been brought up on bugtraq yet, if it has 
sorry. This is from Linux-security, posted by "Mr Pink 
(vince () dallas demon co uk) apologies to Mr. Pink for my instant repost.

On Sun, 16 Apr 1995, Mr Pink wrote:

Hello all,
i was browsing thru alt.2600, as you do, and spotted something of interest
it appears there is a problem with the CERN httpd.

It allows you to create a directory in a users home dir that can be 
accessed via mosaic/netscape.  well the bad bit of news is, if you sym link
this dir to root (/), file ownership becomes non existent.

i was easily able to read the shadow passwd file!

You can't save users or sys-admins from themselves, as this goes to show.

I started writing something up on httpd and security, quite a few months
ago, but never really had the time to get back to it (was playing with
CERN httpd 3.0pre6 at the time).  Did a bit of RTFS too which was hmmm...
interesting.  [http://www.arbld.unimelb.edu.au/~darrenr/httpd.ps if you're
really interested but the WWW sucks so...]
-------excert from my /etc/httpd.conf--------
UserDir         www
SecurityLevel   high
UserId          nobody
GroupId         nogroup
ParentUserId    nobody
ParentGroupId   nogroup
DirAccess       off
DirReadme       top
DirShowHidden   off
DirShowBytes    on
DirShowCase     on
DirShowMode     off
DirShowOwner    off
DirShowGroup    off
Make sure all of those are set as above.  httpd is *NOT* meant to be run
as root, which is the *ONLY* way it will read your shadow passwd file unless
the file perms on it are stuffed anyway.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]