Home page logo

Vulnerability Development mailing list archives

Re: Apache 2.x leaked descriptors
From: jon schatz <jon () divisionbyzero com>
Date: Sat, 22 Feb 2003 14:46:59 -0800

Steve Grubb wrote:
It is normal practice for webhosting companies to put multiple clients on the same machine. What kind of scripting capabilities they give you, if any, varies. If they give you *any* scripting capabilities and the machine runs apache 2.x, then cgi-bin programs can possibly: poison the logs of other sites on the same machine, place malicious content for log analysis programs, delete access log via ftruncate, see what pages or cgi-bins are being accessed on neighboring sites, or read anything dumped into error logs of neighboring websites.

you can do more than that. unless the web server uses suexec, all the cgi's run as the webserver user, who most likely has:

at least w to all log files for all vhosts (probably r+w)
at least r on all webhosting directories
at least r+x on all cgi-bin directories

this is (and has been) a known issue for a while. it has periodically been discussed on the apache mailing lists, and i think it came up on bugtraq recently as well.

jon () divisionbyzero com || www.divisionbyzero.com
gpg key: www.divisionbyzero.com/pubkey.asc
think i have a virus? www.divisionbyzero.com/pgp.html
"You are in a twisty little maze of Sendmail rules, all confusing."

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]