https://issues.apache.org/bugzilla/show_bug.cgi?id=44752
Summary: Suexec does not correctly check that scripts are inside
the docroot
Product: Apache httpd-2
Version: 2.3-HEAD
Platform: Other
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_suexec
AssignedTo: [email protected]
ReportedBy: [EMAIL PROTECTED]
Suexec does not check correctly that the executed script is inside the
docroot directory. It does
chdir(AP_DOC_ROOT)
getcwd(dwd, AP_MAXPATH)
to get the docroot directory and then does a simple
strncmp(cwd, dwd, strlen(dwd))
to compare it with the working directory. But getcwd returns the
directory without a trailing slash (at least under linux). This means
that, if AP_DOC_ROOT is set to e.g. /var/www, suexec will happily
execute scripts under /var/www.bak . The same is true for userdir
requests, i.e. /home/joe/public_html.bak will be accepted.
As Joe Orton pointed out, this is
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1742
The advisory
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=511
also lists a race condition.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
