Major Security Flaw with apache (apr) on FC3 & FC4
FC
fedora at ows.ch
Tue Jul 5 10:50:15 UTC 2005
Alexander Dalloz wrote:
>Am Di, den 05.07.2005 schrieb FC um 12:16:
>
>Please! Do not top-post and fully quote. this is a mailing list and the
>content of previous mails is still available if one likes to check
>content of a previous message.
>
>
>
>>Any1 can explain this :)
>>I have an explanation .. IF the dir is owned by the same user the phpfm
>>is owned it WILL change the dir rights
>>example : mod_php
>>/var/www/html/ owned by root:root
>>/var/www/html/phpfm.php owned by apache.apache
>>nothing changes
>>
>>then /var/www/html/ owned by apache:apache
>>
>>BOOM -> 777 on the dir ...
>>
>>That's a major security flaw .
>>
>>
>
>What you describe is in my eyes just a badly behaving PHP application.
>If a directory in the DocumentRoot or the DocumentRoot is owned by the
>UID of the Apache user, then of course Apache has the permissions to
>change the dir and like you show us. Any PHP or other language script
>can do so. It demonstrates why it is good that by default the
>DocumentRoot is root:root owned on Fedora. The Apache user does not need
>to be the owner.
>
>Alexander
>
>
>
>
I agree with you of course Alexander, what is tricking me, it does work
on some setups .. it is not a general behaviour
Another very dangerous thing happened, using a vurtualhost, using
different users for each vhost
I could change the rights on the dir of / that's not a dir owned by the
user ...
There is still something strange there .... (that's why I think it has
to do with a combination of different packages
but couldnt point to teh combiantion yet) ...
-Philip
More information about the fedora-list
mailing list