[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-developers] Security issues with running files owned by httpd under a virtual site.
- Subject: RE: [cobalt-developers] Security issues with running files owned by httpd under a virtual site.
- From: "KAMRY" <kamry1888@xxxxxxxxx>
- Date: Sun Jun 24 03:44:08 2001
- List-id: Discussion Forum for developers on Cobalt Networks products <cobalt-developers.list.cobalt.com>
But how would someone other than root or httpd write to the folders. In
other words, for the cgi/perl script you mentioned, how would it be written
in those dir owned by httpd. Remember under /web we have a folder owned by
httpd and grouped as httpd with r-x only.
Am I missing something,,,,
KAL
-----Original Message-----
From: cobalt-developers-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-developers-admin@xxxxxxxxxxxxxxx]On Behalf Of shimi
Sent: Sunday, June 24, 2001 4:32 AM
To: cobalt-developers@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-developers] Security issues with running files
owned by httpd under a virtual site.
On Sat, 23 Jun 2001, KAMRY wrote:
> But can't they have privileges to the httpd demon and probably do some
stuff
> on that demon.
>
> Kal
>
I don't recall Apache having any control system or any interactive session
or whatever that can be controlled from the outside... but now that you
mentioned it, I do think of a problem that may accour.
Someone who played more than me on this is welcome to tell what this CGI
script will do:
#!/bin/sh
killall -9 httpd
indeed looks serious to me, even with CGIwrap (as you can do exec from SSI
as well.) - ideas, anyone?
- shimi
_______________________________________________
cobalt-developers mailing list
cobalt-developers@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-developers
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com