On 05/29/2007 11:28 PM, William A. Rowe, Jr. wrote: > Ian Holsman wrote: > >>Hey Bill >> >>just to clarify these are LOCAL DoS attacks? ie you need access to the >>machine (or the ability to execute php) in order for this to be an issue? > > > AIUI all of these are loading modules of untrusted code (or a scripting > language which gives you the same effect.) Now mod_perl has minimal > presumption that it can be used to run untrusted code, while the PHP > community anticipates running untrusted code. The httpd community is > (mostly) suspect on invoking untrusted code in-process. > > That said, #2/3 looks like the only significant issue IMHO. That the > parent could be cooerced to do something 'as root' is badness, and > we can agree with the reporter on that. As the reporter apparently > believes 2 weeks is enough to solve any security issue, these are now > public.
2 weeks? The text in the reporters mail (see end of mail) speaks about May 16th, 2006. This would be about a year (and this is mentioned as reason for publishing) When did they actually send this to security@ and to which ([EMAIL PROTECTED], [EMAIL PROTECTED])? > > #1 and #4 are minor, IMHO, as resource consumption is pretty trivial > if you are running anyone's code on your machine, through the facilities > of serving httpd or giving them a local user account. I'd classify #1 > as a bug, and #4 as silly but possibly worth patching. > > Essentially, PID tables need to move from the score to a local process > list only in the parent, and unshared. That would solve the 80/20 of > this entire class of issues. So, I guess #2/#3 happens due to a manipulation of the pids in the scoreboard which tricks the parent process in sending the signals to the wrong pids (once it has a need to do so to its children). Any more details about #1/#4? Regards RĂ¼diger >>> >>> >>>The information on the vulnerabilities above was sent to Apache >>>Software Foundation on 16 May, 2006. For over 1 year no official patch >>>has been issued. PSNC Security Team is currently working on its own, >>>unofficial patches. Our patches will be published on 18 June, 2007 on >>>the team webpage (http://security.psnc.pl). On 20 June, 2007 the >>>detailed information on the found vulnerabilities will be issued. >>> >>> >>>PSNC Security Team >>>
