SECURITY LEAK in ncsa httpd - PLEASE READ!!!!

Markus Stumpf <stumpf@informatik.tu-muenchen.de>
Errors-To: secret@www0.cern.ch
Date: Tue, 8 Feb 1994 16:50:44 --100
Message-id: <94Feb8.164556mesz.311358@hprbg5.informatik.tu-muenchen.de>
Errors-To: secret@www0.cern.ch
Reply-To: www-talk@www0.cern.ch
Originator: www-talk@info.cern.ch
Sender: www-talk@www0.cern.ch
Precedence: bulk
From: Markus Stumpf <stumpf@informatik.tu-muenchen.de>
To: Multiple recipients of list <www-talk@www0.cern.ch>
Subject: SECURITY LEAK in ncsa httpd - PLEASE READ!!!!
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
Content-Length: 1091
Hoi folx,

there is IMHO a serious security leak in the ncsa httpd.

We run httpd from inetd and I always thought (but never checked)
that User and Group (from the conf oder httpd.h files) applies
in that case, too.
This is NOT true! (and should be stated clearly in the conf files
IMHO).

You could now argue to use the "user" entry in the inetd.conf file,
BUT:
-  I can't set the gid there
-  some older systems don't support this (yet)

Rob, could you please add the code from the standalon section to
the inetd section?!

This all doesn't solve a more serious problem with the <INC>
instruction!
Having user-directories configured, any user is able to execute ANY
command out of this document, and this command is run under
server privileges.
This should IMHO be changed to only allow starting of programs
out of .../cgi-bin/ for example.

	\Maex
-- 
______________________________________________________________________________
 Markus Stumpf                        Markus.Stumpf@Informatik.TU-Muenchen.DE 
                                http://www.informatik.tu-muenchen.de/~stumpf/