Major Security Flaw with apache on FC3

Alexander Dalloz ad+lists at uni-x.org
Mon Jul 4 14:31:36 UTC 2005 

Am Mo, den 04.07.2005 schrieb Fedora Mailing List um 16:06:

> The Scenario :
> 
> get this php filemanager :
> http://phpfm.sourceforge.net/#downloads
> simply unzip into your web site directory
> 
> I have vhosts under a /data dir
> 
> rights 711 on the vhost dir, all fine
> drwx--x--x  19 john data 4096 Jun 24 15:35 www.test.com
> 
> after calling the php file manager http://site.name/index.php
> the rights on the directory are made world writeable
> 
> drwxrwxrwx  13 john data 4096 Jul  4 15:39 www.test.com
> 
> SCARY ---

The problem is phpfm then.

> apache error.log:
> 
> [Mon Jul 04 15:43:44 2005] [error] [client x.x.x.x] Premature end of 
> script headers: index.php, referer: http://www.test.com/index.php
> [Mon Jul 04 15:43:44 2005] [error] [client x.x.x.x] SoftException in 
> Application.cpp:227: Directory "/data/www.test.com" is writeable by 
> group, referer: http://www.test.com/index.php
> [Mon Jul 04 15:43:44 2005] [error] [client x.x.x.x] *** glibc detected 
> *** double free or corruption (fasttop): 0x099c6590 ***, referer: 
> http://www.test.com/index.php
> [Mon Jul 04 15:43:44 2005] [error] [client x.x.x.x] File does not exist: 
> /data/www.test.com/favicon.ico
> [Mon Jul 04 15:44:09 2005] [error] [client x.x.x.x] File does not exist: 
> /data/www.test.com/favicon.ico
> [Mon Jul 04 15:44:19 2005] [error] [client x.x.x.x] Premature end of 
> script headers: index.php, referer: http://www.test.com/index.php
> [Mon Jul 04 15:44:19 2005] [error] [client x.x.x.x] SoftException in 
> Application.cpp:227: Directory "/data/www.test.com" is writeable by 
> group, referer: http://www.test.com/index.php
> [Mon Jul 04 15:44:19 2005] [error] [client x.x.x.x] *** glibc detected 
> *** double free or corruption (fasttop): 0x08e16590 ***, referer: 
> http://www.test.com/index.php
> 
> 
> Switching between suphp and mod_php didtn change anything .. the rights 
> on the dir are changed no matter
> (the error above are with suphp enabled, with mod_php I didnt get any 
> error but the same result)

I have doubts that Apache (user apache) is able to change filesystem
permissions when it does not own a directory and no extension like suphp
is configured or suExec is set.

> On FC4 the problem didnt occur
> ------------
> System Fedora Core 3 - No Selinux
> 
> 
> httpd -V
> Server version: Apache/2.0.54

That is no FC3 Apache!

$ rpm -q httpd
httpd-2.0.52-3.1

$ httpd -v
Server version: Apache/2.0.52
Server built:   Nov 11 2004 10:31:42

> Server built:   Apr 18 2005 21:03:32
> Server's Module Magic Number: 20020903:9
> Architecture:   32-bit
> Server compiled with....
>  -D APACHE_MPM_DIR="server/mpm/prefork"
>  -D APR_HAS_SENDFILE
>  -D APR_HAS_MMAP
>  -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
>  -D APR_USE_SYSVSEM_SERIALIZE
>  -D APR_USE_PTHREAD_SERIALIZE
>  -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
>  -D APR_HAS_OTHER_CHILD
>  -D AP_HAVE_RELIABLE_PIPED_LOGS
>  -D HTTPD_ROOT="/etc/httpd"
>  -D SUEXEC_BIN="/usr/sbin/suexec"
>  -D DEFAULT_PIDLOG="logs/httpd.pid"
>  -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
>  -D DEFAULT_LOCKFILE="logs/accept.lock"
>  -D DEFAULT_ERRORLOG="logs/error_log"

> I didnt trace and debug the thing yet, pretty in a hurry right now, to find out what may have caused it ... if any1 heared about it .. ?

I would say phpfm is broken or misconfigured. I miss the proof that a
plain FC3 Apache2 with only mod_php - no suPHP, nor running suExec with
PHP cgi scripts - is able to change filesystem permissions for
directories / files the apache user does not own.

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp 
Serendipity 16:22:25 up 8 days, 23:14, load average: 0.14, 0.30, 0.42 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050704/b565a459/attachment-0001.sig>

More information about the fedora-list mailing list