Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: httpd symlinks
From: dsr () lns61 tn cornell edu (Daniel S. Riley)
Date: Mon, 4 Sep 1995 16:21:05 -0400


Try adding this to "access.conf" on apache 0.8.11 or ncsa 1.4 (not sure
about how CERN handles this).  "SymLinksIfOwnerMatch" is only vaguely
documented.

SymLinksIfOwnerMatch, at least in NCSA httpd 1.4 through 1.5b3, is
also broken.  Here's the bug report I submitted to the ncsa-httpd
team:

    SymLinksIfOwnerMatch can be trivially defeated.  The check code
    basically does

        lstat(path,&fi);
        [...]
        bsz = readlink(path,realpath,256);
        [...]
        lstat(realpath,&lfi);
        if(fi.st_uid != lfi.st_uid)
                goto gong;

    which can be fooled by creating a soft link to a soft link to the
    target file.  The second lstat should be a stat(), and the whole
    thing could be substantially simplified--something like

        lstat(path,&fi);
        if(!(S_ISREG(fi.st_mode))) {
            if(opts[n] & OPT_SYM_OWNER) {
                if (stat(path,&lfi) == -1)
                    goto gong;
                if(fi.st_uid != lfi.st_uid)
                    goto gong;
            }


    should be sufficient (be sure to fix both instances).



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]