Major Security Flaw with apache on FC3
Fedora Mailing List
fedora at ows.ch
Mon Jul 4 14:40:35 UTC 2005
Alexander Dalloz wrote:
>Am Mo, den 04.07.2005 schrieb Fedora Mailing List um 16:06:
>
>
>
>>The Scenario :
>>
>>get this php filemanager :
>>http://phpfm.sourceforge.net/#downloads
>>simply unzip into your web site directory
>>
>>I have vhosts under a /data dir
>>
>>rights 711 on the vhost dir, all fine
>>drwx--x--x 19 john data 4096 Jun 24 15:35 www.test.com
>>
>>after calling the php file manager http://site.name/index.php
>>the rights on the directory are made world writeable
>>
>>drwxrwxrwx 13 john data 4096 Jul 4 15:39 www.test.com
>>
>>SCARY ---
>>
>>
>
>The problem is phpfm then.
>
>
>
>>apache error.log:
>>
>>[Mon Jul 04 15:43:44 2005] [error] [client x.x.x.x] Premature end of
>>script headers: index.php, referer: http://www.test.com/index.php
>>[Mon Jul 04 15:43:44 2005] [error] [client x.x.x.x] SoftException in
>>Application.cpp:227: Directory "/data/www.test.com" is writeable by
>>group, referer: http://www.test.com/index.php
>>[Mon Jul 04 15:43:44 2005] [error] [client x.x.x.x] *** glibc detected
>>*** double free or corruption (fasttop): 0x099c6590 ***, referer:
>>http://www.test.com/index.php
>>[Mon Jul 04 15:43:44 2005] [error] [client x.x.x.x] File does not exist:
>>/data/www.test.com/favicon.ico
>>[Mon Jul 04 15:44:09 2005] [error] [client x.x.x.x] File does not exist:
>>/data/www.test.com/favicon.ico
>>[Mon Jul 04 15:44:19 2005] [error] [client x.x.x.x] Premature end of
>>script headers: index.php, referer: http://www.test.com/index.php
>>[Mon Jul 04 15:44:19 2005] [error] [client x.x.x.x] SoftException in
>>Application.cpp:227: Directory "/data/www.test.com" is writeable by
>>group, referer: http://www.test.com/index.php
>>[Mon Jul 04 15:44:19 2005] [error] [client x.x.x.x] *** glibc detected
>>*** double free or corruption (fasttop): 0x08e16590 ***, referer:
>>http://www.test.com/index.php
>>
>>
>>Switching between suphp and mod_php didtn change anything .. the rights
>>on the dir are changed no matter
>>(the error above are with suphp enabled, with mod_php I didnt get any
>>error but the same result)
>>
>>
>
>I have doubts that Apache (user apache) is able to change filesystem
>permissions when it does not own a directory and no extension like suphp
>is configured or suExec is set.
>
>
>
>>On FC4 the problem didnt occur
>>------------
>>System Fedora Core 3 - No Selinux
>>
>>
>>httpd -V
>>Server version: Apache/2.0.54
>>
>>
>
>That is no FC3 Apache!
>
>$ rpm -q httpd
>httpd-2.0.52-3.1
>
>$ httpd -v
>Server version: Apache/2.0.52
>Server built: Nov 11 2004 10:31:42
>
>
>
>>Server built: Apr 18 2005 21:03:32
>>Server's Module Magic Number: 20020903:9
>>Architecture: 32-bit
>>Server compiled with....
>> -D APACHE_MPM_DIR="server/mpm/prefork"
>> -D APR_HAS_SENDFILE
>> -D APR_HAS_MMAP
>> -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
>> -D APR_USE_SYSVSEM_SERIALIZE
>> -D APR_USE_PTHREAD_SERIALIZE
>> -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
>> -D APR_HAS_OTHER_CHILD
>> -D AP_HAVE_RELIABLE_PIPED_LOGS
>> -D HTTPD_ROOT="/etc/httpd"
>> -D SUEXEC_BIN="/usr/sbin/suexec"
>> -D DEFAULT_PIDLOG="logs/httpd.pid"
>> -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
>> -D DEFAULT_LOCKFILE="logs/accept.lock"
>> -D DEFAULT_ERRORLOG="logs/error_log"
>>
>>
>
>
>
>>I didnt trace and debug the thing yet, pretty in a hurry right now, to find out what may have caused it ... if any1 heared about it .. ?
>>
>>
>
>I would say phpfm is broken or misconfigured. I miss the proof that a
>plain FC3 Apache2 with only mod_php - no suPHP, nor running suExec with
>PHP cgi scripts - is able to change filesystem permissions for
>directories / files the apache user does not own.
>
>Alexander
>
>
>
Yes it has been rebuilt using
httpd-2.0.54-3.src.rpm from a fedora mirror and rebuilt with
rpmbuild -ba SPECS/httpd.spec
But the rest are geniun updated fc3 packages .. so something is actually
doing that
I will dig into it, just running out of time today :)
Cheers
-P
More information about the fedora-list
mailing list