Re: Apache Vulnerability in WebTen

[Erik Lotspeich <erik@xxxxxxxxx>]

On Mon, 24 Jun 2002, Robert Brandtjen wrote:

> On Monday 24 June 2002 11:50 am, you wrote:
> > Is the only vulnerability that it opens the server to a DOS attack, or are
> > there other vulnerabilities? I'm getting mixed signals from the referenced
> > documents. By "execute arbitrary code" does that mean they can turn my web
> > server into a spam sender or something? Or what else?
>
> It means they can assume "root" (read 'god' of all server ops) on the machine
> in question - of course that's mostly moot for OS9 - but they could get some
> access to what to the httpd server does, and, I suppose upload and execute
> some scripts.

Robert,

This is absolutely not true.  WebTen's Apache runs as user "nobody".  Any
"arbitrary code" would be run as user nobody as well.  Applications
running as the restricted user "nobody" have limited access to to the
filesystem -- on a typical Unix system (WebTen is a Unix system at its
core, so this applies), no files or directories are owned by the user
nobody.  Furthermore, files on your Macintosh filesystem are assigned Unix
ownership of Pass/webten.  This prevents the user "nobody", if Apache was
compromised, from damaging any web content.

Hope this helps,

Erik.

-- 
Erik Lotspeich                          Lead Engineer
Tenon Intersystems                      erik@xxxxxxxxx
1123 Chapala Street Ste 200             805-963-6983
Santa Barbara, CA 93101-3142            http://www.tenon.com/