Major Security Flaw with apache on FC3

Fedora Mailing List fedora at ows.ch
Mon Jul 4 14:06:22 UTC 2005 

The Scenario :

get this php filemanager :
http://phpfm.sourceforge.net/#downloads
simply unzip into your web site directory

I have vhosts under a /data dir

rights 711 on the vhost dir, all fine
drwx--x--x  19 john data 4096 Jun 24 15:35 www.test.com

after calling the php file manager http://site.name/index.php
the rights on the directory are made world writeable

drwxrwxrwx  13 john data 4096 Jul  4 15:39 www.test.com

SCARY ---

apache error.log:

[Mon Jul 04 15:43:44 2005] [error] [client x.x.x.x] Premature end of 
script headers: index.php, referer: http://www.test.com/index.php
[Mon Jul 04 15:43:44 2005] [error] [client x.x.x.x] SoftException in 
Application.cpp:227: Directory "/data/www.test.com" is writeable by 
group, referer: http://www.test.com/index.php
[Mon Jul 04 15:43:44 2005] [error] [client x.x.x.x] *** glibc detected 
*** double free or corruption (fasttop): 0x099c6590 ***, referer: 
http://www.test.com/index.php
[Mon Jul 04 15:43:44 2005] [error] [client x.x.x.x] File does not exist: 
/data/www.test.com/favicon.ico
[Mon Jul 04 15:44:09 2005] [error] [client x.x.x.x] File does not exist: 
/data/www.test.com/favicon.ico
[Mon Jul 04 15:44:19 2005] [error] [client x.x.x.x] Premature end of 
script headers: index.php, referer: http://www.test.com/index.php
[Mon Jul 04 15:44:19 2005] [error] [client x.x.x.x] SoftException in 
Application.cpp:227: Directory "/data/www.test.com" is writeable by 
group, referer: http://www.test.com/index.php
[Mon Jul 04 15:44:19 2005] [error] [client x.x.x.x] *** glibc detected 
*** double free or corruption (fasttop): 0x08e16590 ***, referer: 
http://www.test.com/index.php


Switching between suphp and mod_php didtn change anything .. the rights 
on the dir are changed no matter
(the error above are with suphp enabled, with mod_php I didnt get any 
error but the same result)

On FC4 the problem didnt occur
------------
System Fedora Core 3 - No Selinux


httpd -V
Server version: Apache/2.0.54
Server built:   Apr 18 2005 21:03:32
Server's Module Magic Number: 20020903:9
Architecture:   32-bit
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 

-- 

I didnt trace and debug the thing yet, pretty in a hurry right now, to find out what may have caused it ... if any1 heared about it .. ?

More information about the fedora-list mailing list