lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 22 Jan 2004 11:20:22 +0100
From: lupe@...e-christoph.de (Lupe Christoph)
To: Steve Grubb <linux_4ever@...oo.com>
Cc: bugtraq@...urityfocus.com, modperl@...l.apache.org
Subject: Re: Hijacking Apache 2 via mod_perl


On Wednesday, 2004-01-21 at 22:53:33 -0000, Steve Grubb wrote:

> Product:         mod_perl
> Versions:        1.99_09 / apache 2.0.47
> URL:             http://perl.apache.org
> Impact:          Daemon Hijacking
> Bug class:       Leaked Descriptor
> Vendor notified: Yes
> Fix available:   No
> Date:            01/21/04

> Issue:
> ======
> Mod_perl under apache 2.0.x leaks critical file descriptors that can be used to takeover (hijack) the http and https services.

It does not leak them. Your code reopens them.

Installing your code requires superuser permissions. Or the willingness
of the admin of the machine to trust people with the right to install
code that runs inside Apache.

Much the same can be done with anything that runs inside Apache. For
example, mod_php. So in essence you are complaining that an Apache
extensions has the right to do anything inside Apache it can be
programmed to do.

For example, to receive POST data, the extension code has to be able to
access the FD that connects to the browser. It also has to be able to
write to that FD to send a reply.

To write to a log, it needs write access (mostly through the Apache ABI)
to the log filedescriptors.

Can you suggest a way to avoid this?

I have forwarded your mail to the mod_perl mailing list, which I'm also
Ccing on this mail. Had you taken your problem there first, this
silliness could have been avoided.

The thread starts at
  http://marc.theaimsgroup.com/?l=apache-modperl&m=107475920405755&w=2

Lupe Christoph
-- 
| lupe@...e-christoph.de       |           http://www.lupe-christoph.de/ |
| "Violence is the resort of the violent" Lu Tze                         |
| "Thief of Time", Terry Pratchett                                       |

-- 
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ