On Wed, Oct 31, 2012 at 7:31 AM, Graham Leggett <minf...@sharp.fm> wrote: > On 31 Oct 2012, at 6:46 AM, Eric Jacobs <ejac...@bluehost.com> wrote: > >> There is a race condition vulnerability in httpd 2.2.23 (also present in >> previous releases) that allows a malicious user to serve arbitrary files >> from nearly anywhere on a server that isn't protected by strict os level >> permissions. In a shared hosting environment, this is a big vulnerability. >> >> If you would like more information on the exploit itself, please let me >> know. I have a proof of concept that is able to hit the exploit with 100% >> success. >> >> This is my first patch submitted to Apache, so I'm sorry if I've missed >> something. I'm aware that this doesn't meet some of the code standards that >> are in place (e.g, it doesn't work at all on Windows), but I wanted to put >> it out there anyway. >> >> The patch that fixes the vulnerability is attached. Thank you in advance for >> the feedback. > > As this is reported as a security issue, would it be possible instead to > email the details to secur...@httpd.apache.org, and we can take a look? >
In general that is the proper form -- but this particular issue is documented as a limitation: "Omitting this option should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable."