>Number: 237
>Category: suexec
>Synopsis: Inappropriate bypass of suexec / Inappropriate usage of suexec
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache (Apache HTTP Project)
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Mon Mar 17 04:00:02 1997
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.2b7
>Environment:
UNIX (physically checked 1.2b6)
>Description:
(a) Bypass:
I believe, that it is possible to bypass suexec with the use of an "nph-*"
CGI. This gives server permission state to the CGI, could be root, or
possibly allow a user to erase the web server!
(b) Usage:
I have since replaced the suexec utility, finding it rather dangerous,
however, what prevents someone running the suexec command from a shell
possibly to take advantage of extra executables in public_html directory?
>How-To-Repeat:
(a) Create an nph- CGI!
(b) Run suexec from a shell, substituting your own information and parameters!
>Fix:
(a) have nph- CGI's also call SUEXEC.
(b) I have temporarily amended this problem by passing on a secret password
to suexec -- this is obviously a poor improvement. This password is added
just before calling suexec and rests securely only if the source code is
unreadable! A better suggestion would be to verify that the calling
process was the web-server... Don't know how to do that
>Audit-Trail:
>Unformatted:
