Re: [patch] Fix cross-user symlink race condition vulnerability
Le 31/10/2012 05:46, Eric Jacobs a écrit : There is a race condition vulnerability in httpd 2.2.23 (also present in previous releases) that allows a malicious user to serve arbitrary files from nearly anywhere on a server that isn't protected by strict os level permissions. In a shared hosting environment, this is a big vulnerability. If you would like more information on the exploit itself, please let me know. I have a proof of concept that is able to hit the exploit with 100% success. This is my first patch submitted to Apache, so I'm sorry if I've missed something. I'm aware that this doesn't meet some of the code standards that are in place (e.g, it doesn't work at all on Windows), but I wanted to put it out there anyway. The patch that fixes the vulnerability is attached. Thank you in advance for the feedback. Hi, could you please open a bug report on bugzilla (https://issues.apache.org/bugzilla/) so that your message and proposed patch does not get lost in this mailing list. Thanks in advance. Best regards, Christophe JAILLET
Re: New feature request for balancer-manager: command line usage
On 30 Oct 2012, at 9:12 PM, John M jfm.apa...@gmail.com wrote: I have a new feature request for the balancer-manager: the ability to enable or disable servers in the balancer using the command line, instead of using the only way that exists that I know of: the balancer-manager webpage. The use case for this would be the creation of a shell script that could call such a command-prompt command, as part of an automated hot-deploy or continuous deployment architecture. Could you not use an HTTP client like curl within your shell script to do this, or are there circumstances that make this difficult? Regards, Graham -- smime.p7s Description: S/MIME cryptographic signature
Re: [patch] Fix cross-user symlink race condition vulnerability
On 31 Oct 2012, at 6:46 AM, Eric Jacobs ejac...@bluehost.com wrote: There is a race condition vulnerability in httpd 2.2.23 (also present in previous releases) that allows a malicious user to serve arbitrary files from nearly anywhere on a server that isn't protected by strict os level permissions. In a shared hosting environment, this is a big vulnerability. If you would like more information on the exploit itself, please let me know. I have a proof of concept that is able to hit the exploit with 100% success. This is my first patch submitted to Apache, so I'm sorry if I've missed something. I'm aware that this doesn't meet some of the code standards that are in place (e.g, it doesn't work at all on Windows), but I wanted to put it out there anyway. The patch that fixes the vulnerability is attached. Thank you in advance for the feedback. As this is reported as a security issue, would it be possible instead to email the details to secur...@httpd.apache.org, and we can take a look? Regards, Graham -- smime.p7s Description: S/MIME cryptographic signature
Re: [patch] Fix cross-user symlink race condition vulnerability
On Wed, Oct 31, 2012 at 7:31 AM, Graham Leggett minf...@sharp.fm wrote: On 31 Oct 2012, at 6:46 AM, Eric Jacobs ejac...@bluehost.com wrote: There is a race condition vulnerability in httpd 2.2.23 (also present in previous releases) that allows a malicious user to serve arbitrary files from nearly anywhere on a server that isn't protected by strict os level permissions. In a shared hosting environment, this is a big vulnerability. If you would like more information on the exploit itself, please let me know. I have a proof of concept that is able to hit the exploit with 100% success. This is my first patch submitted to Apache, so I'm sorry if I've missed something. I'm aware that this doesn't meet some of the code standards that are in place (e.g, it doesn't work at all on Windows), but I wanted to put it out there anyway. The patch that fixes the vulnerability is attached. Thank you in advance for the feedback. As this is reported as a security issue, would it be possible instead to email the details to secur...@httpd.apache.org, and we can take a look? In general that is the proper form -- but this particular issue is documented as a limitation: Omitting this option should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable.
Re: [patch] Fix cross-user symlink race condition vulnerability
On 10/31/2012 06:00 AM, Eric Covener wrote: In general that is the proper form -- but this particular issue is documented as a limitation: Omitting this option should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable. Some users (like Bluehost) require the functionality of symlinks without the possibility of server side vulnerabilities. Having the vulnerability documented doesn't keep servers safe. The patch I submitted allows httpd to use symlinks in a protected fashion that doesn't allow for users to serve arbitrary files. I'll go ahead and submit a more detailed email to the security. More feedback from the devs is appreciated. -- Eric Jacobs Junior Systems Administrator Bluehost.com
Re: [patch] Fix cross-user symlink race condition vulnerability
On Wed, Oct 31, 2012 at 3:36 PM, Eric Jacobs ejac...@bluehost.com wrote: On 10/31/2012 06:00 AM, Eric Covener wrote: In general that is the proper form -- but this particular issue is documented as a limitation: Omitting this option should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable. Some users (like Bluehost) require the functionality of symlinks without the possibility of server side vulnerabilities. Having the vulnerability documented doesn't keep servers safe. My point was that discussion of this particular issue does not need to be segregated to the private security list.
conn_rec to request_rec
Hi, i didnt find anywhere in the Docs, I know that the request_req has a pointer to the conn_rec of that request, but based on ap_hook_process_connection that only gives me the conn_rec it is possible to get the request_req if I only have the conn_rec ? []s
Re: conn_rec to request_rec
On Wed, 31 Oct 2012 18:42:33 -0200 André Ferraz defer...@terra.com.br wrote: Hi, i didnt find anywhere in the Docs, I know that the request_req has a pointer to the conn_rec of that request, but based on ap_hook_process_connection that only gives me the conn_rec it is possible to get the request_req if I only have the conn_rec ? What request_req? A connection doesn't imply there's a request. There are typically many requests to a connection (unless you disable keepalive). -- Nick Kew
Re: When does Apache restart child processes
It's possible this is because a burst of requests causes Apache to spin up child processes to handle them, but perhaps the load-test generation slows down at some point, Apache winds up with idle processes, and closes some down? Is that plausible? http://httpd.apache.org/docs/2.2/mod/mpm_common.html#minsparethreads http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxsparethreads
