Home page logo

bugtraq logo Bugtraq mailing list archives

Re: httpd symlinks
From: dsr () lns61 tn cornell edu (Daniel S. Riley)
Date: Mon, 4 Sep 1995 16:21:05 -0400

Try adding this to "access.conf" on apache 0.8.11 or ncsa 1.4 (not sure
about how CERN handles this).  "SymLinksIfOwnerMatch" is only vaguely

SymLinksIfOwnerMatch, at least in NCSA httpd 1.4 through 1.5b3, is
also broken.  Here's the bug report I submitted to the ncsa-httpd

    SymLinksIfOwnerMatch can be trivially defeated.  The check code
    basically does

        bsz = readlink(path,realpath,256);
        if(fi.st_uid != lfi.st_uid)
                goto gong;

    which can be fooled by creating a soft link to a soft link to the
    target file.  The second lstat should be a stat(), and the whole
    thing could be substantially simplified--something like

        if(!(S_ISREG(fi.st_mode))) {
            if(opts[n] & OPT_SYM_OWNER) {
                if (stat(path,&lfi) == -1)
                    goto gong;
                if(fi.st_uid != lfi.st_uid)
                    goto gong;

    should be sufficient (be sure to fix both instances).

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]