Apache does not honor -FollowSymlinks due to TOCTOU, which allows access to /proc/<pid>/ files
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Ubuntu) |
Invalid
|
High
|
Unassigned |
Bug Description
Apache 2.2.19 worker contains a TOCTOU problem when -FollowSymlinks is configured, causing it to follow the link to any location. This does only occur when a user other than www-data is allowed to modify parts of the filesystem data currently served by apache, e.g. the user's personal web-space. Use POC from http://
Ubuntu security was informed 20110625, reply:
========
httpd has never claimed (or attempted) to implement any security
restriction on following symlinks. This is mentioned in the current docs
for Options:
http://
"symlink testing is subject to race conditions that make it circumventable"
You have some discussion in your document of the perspective. httpd's
support for running children as a less-privileged non-root user allows
admins to restrict the capabilities of those children. It is a
misconfiguration if the less-privileged user is allowed access to
privileged files; there is little httpd itself can to do prevent (or
detect) that situation.
Similarly, it is the admin's responsibility to consider what escalation
of privileges is possible by allowing less-trusted users to author
content.
=========
Still, it can be used to read /proc/<pid>/maps memory layout from remote, which might be handy, e.g. when exploiting the apache buffer overflow from https:/
Not flagged a security-issue, due to response from apache.org.
Public disclosure http://
Discussion if vulnerability on open-source-
# lsb_release -rd
Description: Ubuntu oneiric (development branch)
Release: 11.10
# apt-cache policy apache2-mpm-worker
apache2-mpm-worker:
Installed: 2.2.19-1ubuntu1
Candidate: 2.2.19-1ubuntu1
Version table:
*** 2.2.19-1ubuntu1 0
500 http://
100 /var/lib/
security vulnerability: | no → yes |
Changed in apache2 (Ubuntu): | |
importance: | Undecided → High |
tags: | added: server |
This is an unsupported use-case of Apache httpd and I am pretty sure it won't be changed upstream. And I don't think Ubuntu or Debian should deviate from that, see http:// seclists. org/oss- sec/2011/ q3/111