Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate

From: Nasir Simbolon (nasirat_private)
Date: Wed Aug 01 2001 - 23:05:36 PDT

Next message: Black, Braden: "RE: Wvdial insecure conf?"

Previous message: Jesse Noller: "RE: cold fusion 5.0 cfrethrow exploit"
In reply to: Olaf Bohlen: "Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Olaf Bohlen wrote:

> But: no user (except root) should be able to gain access to nobody. so
> this is not a security hole imho.
>
> Also if you run apache-cgi's as user, apache chowns to the owner of the
> cgi before executing it:
>
>

If apache run by uid nobody, All accounts system will have gain access to
nobody  if :
1. you installed php as module of apache
2. configure php as default

all you have to do is create a php script that execute code
eg.
<?php
   system("/path/to/locate-exploite");
?>
put this script in your public_html directory and access this file from
your browser.
This script will execute by php uid nobody.

note : php have directives in php.ini  to  limit system programs that can
be executed by php  :
safe_mode_exec_dir    /path/to/exec-dir-allowed
open_basedir       /path/to/open-dir-allowed

salam,
/*------------------------------------
--Nasir Simbolon // Web application developer //
--3WSI : 3WSI Web Solutions Indonesia
--http://3wsi.com
--*/

Next message: Black, Braden: "RE: Wvdial insecure conf?"
Previous message: Jesse Noller: "RE: cold fusion 5.0 cfrethrow exploit"
In reply to: Olaf Bohlen: "Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 02 2001 - 15:06:13 PDT