covener at gmail
Oct 31, 2012, 5:00 AM
Post #4 of 9
On Wed, Oct 31, 2012 at 7:31 AM, Graham Leggett <minfrin [at] sharp> wrote:
Re: [patch] Fix cross-user symlink race condition vulnerability
[In reply to]
> On 31 Oct 2012, at 6:46 AM, Eric Jacobs <ejacobs [at] bluehost> wrote:
>> There is a race condition vulnerability in httpd 2.2.23 (also present in previous releases) that allows a malicious user to serve arbitrary files from nearly anywhere on a server that isn't protected by strict os level permissions. In a shared hosting environment, this is a big vulnerability.
>> If you would like more information on the exploit itself, please let me know. I have a proof of concept that is able to hit the exploit with 100% success.
>> This is my first patch submitted to Apache, so I'm sorry if I've missed something. I'm aware that this doesn't meet some of the code standards that are in place (e.g, it doesn't work at all on Windows), but I wanted to put it out there anyway.
>> The patch that fixes the vulnerability is attached. Thank you in advance for the feedback.
> As this is reported as a security issue, would it be possible instead to email the details to security [at] httpd, and we can take a look?
In general that is the proper form -- but this particular issue is
documented as a limitation:
"Omitting this option should not be considered a security restriction,
since symlink testing is subject to race conditions that make it