Bugtraq mailing list archives
Re: CGI script insecurity in NCSA httpd
From: jeremy () sour sw oz au (Jeremy Fitzhardinge)
Date: Fri, 28 Apr 1995 16:32:54 +1000 (EST)
Greetings, all. Anyone with access to CGI scripts on your server can destroy all your logfiles and possible wreak other havoc. [...] whether cracking root was possible. It does not appear so, since fchmod checks the euid of the process even though it has an open descriptor, and this is normally "nobody". HOWEVER, I have not given the matter an enormous amount of thought, so a greater vulnerability may exist here. I welcome comments.
If it leaves a directory open, the CGI script could use fchdir() (on those systems where it exists) to escape a chrooted area. fchdir() needs no special permissions, but the process would have to be allowed into the destination directory (that is, it needs to be executable set for the CGI script's credentials). J
Current thread:
- Re: Kerberos availability (Re: NIS), (continued)
- Re: Kerberos availability (Re: NIS) Michel Lavondes (Apr 24)
- Re: Kerberos availability (Re: NIS) Jas (Apr 25)
- Re: Kerberos availability (Re: NIS) Julian Assange (Apr 26)
- nfs_mount in AIX rick () msc cornell edu (Apr 25)
- Re: nfs_mount in AIX Tom Fitzgerald (Apr 25)
- Re: nfs_mount in AIX rick () msc cornell edu (Apr 26)
- Re: nfs_mount in AIX Aleph One (Apr 26)
- Re: nfs_mount in AIX John F. Haugh II (Apr 26)
- Re: nfs_mount in AIX Julian Assange (Apr 26)
- CGI script insecurity in NCSA httpd Paul Phillips (Apr 26)
- Re: CGI script insecurity in NCSA httpd Jeremy Fitzhardinge (Apr 27)
- sniffers froden () yf-kraft no (Apr 28)
- Re: your mail Timothy Newsham (Apr 30)
- sniffers Theodore Alexopoulos (Apr 29)
- Re: sniffers Jonathan M. Bresler (Apr 29)
- Re: sniffers Asriel DeCatte (Apr 30)
- Re: Kerberos availability (Re: NIS) Jas (Apr 25)
- Re: sniffers Asriel DeCatte (Apr 30)
- Re: sniffers Jas (Apr 30)
- Re: Kerberos availability (Re: NIS) Michel Lavondes (Apr 24)
- Re: sniffers Asriel DeCatte (Apr 30)
- Re: sniffers Jonathan M. Bresler (Apr 30)
- Re[2]: sniffers Nayfield, Rod (Apr 30)