>Number: 2085 >Category: mod_log-any >Synopsis: Logfiles provide a big backdoor in apache v* >Confidential: no >Severity: critical >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Apr 20 17:10:01 PDT 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: ALL >Environment: Linux 2.0.33 GCC 2.7.2.3 Linux frozen.villaweb.net 2.0.33 #7 Sun Mar 29 06:19:26 EST 1998 i586 unknown >Description: I was trying to hack my box (just to see if/how others could), and I found a very big, and dangerous flaw... I had a logfiles directory for every user where they had all the standard Apache logs... >How-To-Repeat: ln -s /etc/passwd TransferLog I went and rehashed httpd (as root, sooner or later, all admins rehash webservers) killall -HUP httpd and, voila, I (as a regular user) now had write access to /etc/passwd you cant control what gets written, but, it is still very dangerous... >Fix: I also found a temporary fix, but I think there should be an option in apache where you control what user writes the logfile... I compiled the "rotatelogs" program (its in one of the apache source subdirs), and put it in /usr/bin I added a "htlogd" user, and chown'd the file to htlogd.htlogd, and made it suid, so it executes as user htlogd adduser htlogd ; chown htlogd.htlogd rotatelogs ; chmod 4700 rotatelogs I made all of the logfiles dirs owned by htlogd, and I changed all of the logfile lines in httpd.conf in this fasion: BEFORE --- TransferLog "/home/website.com/logfiles/TransferLog" AFTER --- TransferLog "|rotatelogs /home/website.com/logfiles/TransferLog 86400"
It is a fairly good temporary fix... %0 >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]
