To which I replied, "CGI scripts are a security hole, period, if the
admin can not trust the people putting up scripts behind the server."
By the way, does this close the error log before the script gets to it?
Very bad, as I think the scripts should be allowed to write to the error
log with stderr for debugging purposes. Unless we decide we can have a
stderr_log....
Brian
---------- Forwarded message ----------
Date: Thu, 4 May 1995 16:17:55 -0700 (PDT)
From: Paul Phillips <paulp@cerf.net>
To: www-security@ns2.rutgers.edu, www-managers@list.Stanford.EDU,
bugtraq@fc.net, httpd@ncsa.uiuc.edu
Subject: NCSA httpd: patch for CGI insecurity
On Thu, 4 May 1995, Paul Phillips wrote:
> It was pointed out that fchdir could conceivably be used to escape a
> chrooted area. I also really don't like the idea that a CGI can log an
> arbitrary amount of false information. Trashing the log files at least
> informs the web admin that something is up, but information warfare can
> be more dangerous than information vandalism.
Sorry to quote myself, but this is quite more serious than I had
originally painted it. I know of some commercial web space providers
that charge by the byte for bandwidth used. If I have an account and CGI
access on the same server that someone else does, what is to stop me from
logging lots of entries for someone else on the server, greatly
increasing their tab? Nothing. In fact, with a single CGI I could fork
another process that sits around in the background and logs accesses to
my enemies every minute or so.
Not good. Anyone running any NCSA server that uses the logs for
billing is on thin ice. On that note, here is a patch for httpd1.4 that
fixes the problem.
*** http_log.c.orig Thu May 4 16:00:27 1995
--- http_log.c Thu May 4 16:13:26 1995
***************
*** 57,62 ****
--- 57,64 ----
extern char *save_name;
void open_logs() {
+ int flags;
+
if(!(error_log = fopen(error_fname,"a"))) {
fprintf(stderr,"httpd: could not open error log file %s.\n",
error_fname);
***************
*** 81,86 ****
--- 83,106 ----
perror("fopen");
exit(1);
}
+
+ /* set close-on-exec flag so CGI's cannot get to logs */
+
+ flags = fcntl(fileno(error_log), F_GETFD);
+ flags |= FD_CLOEXEC;
+ fcntl(fileno(error_log), F_SETFD, flags);
+
+ flags = fcntl(xfer_log, F_GETFD);
+ flags |= FD_CLOEXEC;
+ fcntl(xfer_log, F_SETFD, flags);
+
+ flags = fcntl(fileno(agent_log), F_GETFD);
+ flags |= FD_CLOEXEC;
+ fcntl(fileno(agent_log), F_SETFD, flags);
+
+ flags = fcntl(fileno(referer_log), F_GETFD);
+ flags |= FD_CLOEXEC;
+ fcntl(fileno(referer_log), F_SETFD, flags);
}
void close_logs() {
------------ End patch -----------------
--
Paul Phillips EMAIL: paulp@cerf.net
WWW: http://www.primus.com/staff/paulp/ PHONE: (619) 220-0850
admin can not trust the people putting up scripts behind the server."
By the way, does this close the error log before the script gets to it?
Very bad, as I think the scripts should be allowed to write to the error
log with stderr for debugging purposes. Unless we decide we can have a
stderr_log....
Brian
---------- Forwarded message ----------
Date: Thu, 4 May 1995 16:17:55 -0700 (PDT)
From: Paul Phillips <paulp@cerf.net>
To: www-security@ns2.rutgers.edu, www-managers@list.Stanford.EDU,
bugtraq@fc.net, httpd@ncsa.uiuc.edu
Subject: NCSA httpd: patch for CGI insecurity
On Thu, 4 May 1995, Paul Phillips wrote:
> It was pointed out that fchdir could conceivably be used to escape a
> chrooted area. I also really don't like the idea that a CGI can log an
> arbitrary amount of false information. Trashing the log files at least
> informs the web admin that something is up, but information warfare can
> be more dangerous than information vandalism.
Sorry to quote myself, but this is quite more serious than I had
originally painted it. I know of some commercial web space providers
that charge by the byte for bandwidth used. If I have an account and CGI
access on the same server that someone else does, what is to stop me from
logging lots of entries for someone else on the server, greatly
increasing their tab? Nothing. In fact, with a single CGI I could fork
another process that sits around in the background and logs accesses to
my enemies every minute or so.
Not good. Anyone running any NCSA server that uses the logs for
billing is on thin ice. On that note, here is a patch for httpd1.4 that
fixes the problem.
*** http_log.c.orig Thu May 4 16:00:27 1995
--- http_log.c Thu May 4 16:13:26 1995
***************
*** 57,62 ****
--- 57,64 ----
extern char *save_name;
void open_logs() {
+ int flags;
+
if(!(error_log = fopen(error_fname,"a"))) {
fprintf(stderr,"httpd: could not open error log file %s.\n",
error_fname);
***************
*** 81,86 ****
--- 83,106 ----
perror("fopen");
exit(1);
}
+
+ /* set close-on-exec flag so CGI's cannot get to logs */
+
+ flags = fcntl(fileno(error_log), F_GETFD);
+ flags |= FD_CLOEXEC;
+ fcntl(fileno(error_log), F_SETFD, flags);
+
+ flags = fcntl(xfer_log, F_GETFD);
+ flags |= FD_CLOEXEC;
+ fcntl(xfer_log, F_SETFD, flags);
+
+ flags = fcntl(fileno(agent_log), F_GETFD);
+ flags |= FD_CLOEXEC;
+ fcntl(fileno(agent_log), F_SETFD, flags);
+
+ flags = fcntl(fileno(referer_log), F_GETFD);
+ flags |= FD_CLOEXEC;
+ fcntl(fileno(referer_log), F_SETFD, flags);
}
void close_logs() {
------------ End patch -----------------
--
Paul Phillips EMAIL: paulp@cerf.net
WWW: http://www.primus.com/staff/paulp/ PHONE: (619) 220-0850