| Summary: | Suexec does not correctly check that scripts are inside the docroot | ||
|---|---|---|---|
| Product: | Apache httpd-2 | Reporter: | Stefan Fritsch <sf> |
| Component: | support | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
| Status: | NEW --- | ||
| Severity: | normal | CC: | schwarz, yuya.presto |
| Priority: | P2 | Keywords: | PatchAvailable |
| Version: | 2.5-HEAD | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | All | ||
| Attachments: |
patch for suexec
more simple patch |
||
Created attachment 21780 [details]
patch for suexec
This patch should fix both issues, but I am not sure if the fchdir part is portable.
Created attachment 23383 [details]
more simple patch
This is simpler patch.
It only tests whether NULL or '/' is exist on the end of cwd string.
(In reply to comment #2) > Created an attachment (id=23383) [details] > more simple patch > > This is simpler patch. > It only tests whether NULL or '/' is exist on the end of cwd string. Have you tested this in the case that the script is located directly in the document root (and not in a subdir?) Oops.. I've forgotten to test that case... I have just tested whether it execs /var/www/test_args.cgi with AP_DOC_ROOT="/var/www". I also tested whether it doesn't exec /var/www-test/test_args.cgi. And it works for me. :) |
Suexec does not check correctly that the executed script is inside the docroot directory. It does chdir(AP_DOC_ROOT) getcwd(dwd, AP_MAXPATH) to get the docroot directory and then does a simple strncmp(cwd, dwd, strlen(dwd)) to compare it with the working directory. But getcwd returns the directory without a trailing slash (at least under linux). This means that, if AP_DOC_ROOT is set to e.g. /var/www, suexec will happily execute scripts under /var/www.bak . The same is true for userdir requests, i.e. /home/joe/public_html.bak will be accepted. As Joe Orton pointed out, this is http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1742 The advisory http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=511 also lists a race condition.