7755829 2002-01-06 05:35 +0100 /31 rader/ Tozz <tozz@embrace.selwerd.nl> Sänt av: joel@lysator.liu.se Importerad: 2002-01-07 08:57 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <20384> Ärende: Denial of Service flaw in Apache ------------------------------------------------------------ From: "Tozz" <tozz@embrace.selwerd.nl> To: <bugtraq@securityfocus.com> Message-ID: <001101c1966b$89897a80$bd00a8c0@poesje> Hello, Today I stumbled on a little issue in Apache. My webhosting company creates log files for each seperate user/domain, so every user is able to download his own access / error logs. The problem occures when the log directory does not exists, when apache receives a SIGHUP (e.g. logrotate)Apache will reload its config file and shutdown immediatly. So, if the log directory is removed by the owner of the domain by accident or because he just wanted to clean up some logs :), apache will just simply shutdown upon a SIGHUP. Apache only seems to do this with log files, if a DocumentRoot does not exist it will just start and display a 404. Same for a ScriptAlias or anything else that uses a directory. It's not really a bug, because you can just set the owner of the log directory to UID root, but still I think it's weird that Apache only dies with a log directory and not with any other directory.. Bye, Tozz Visit us: #h4h @ irc.rizenet.org (7755829) /Tozz <tozz@embrace.selwerd.nl>/(Ombruten) 7760948 2002-01-07 07:14 -0800 /37 rader/ Marc Slemko <marcs@znep.com> Sänt av: joel@lysator.liu.se Importerad: 2002-01-07 23:20 av Brevbäraren Extern mottagare: Tozz <tozz@embrace.selwerd.nl> Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <20407> Kommentar till text 7755829 av Tozz <tozz@embrace.selwerd.nl> Ärende: Re: Denial of Service flaw in Apache ------------------------------------------------------------ From: Marc Slemko <marcs@znep.com> To: Tozz <tozz@embrace.selwerd.nl> Cc: bugtraq@securityfocus.com Message-ID: <Pine.BSF.4.20.0201070708190.383-100000@alive.znep.com> On Sun, 6 Jan 2002, Tozz wrote: > Hello, > > Today I stumbled on a little issue in Apache. My webhosting company creates > log files for each seperate user/domain, so every user is able to download > his own access / error logs. [...etc etc etc...] I will tell you the same thing that I told you when you sent the same thing to security@apache.org: The documentation explicitly states that you must not allow non-trusted users write access to the logs directory. It is a major security hole because they are opened by the user that starts apache (ie. normally root). This is a done this way on purpose, however it requires that the server not be misconfigured. If you have a setup where a random user can write to a logs directory, then you have a hell of a lot more to worry about than them causing the server to not start! Having a non-existant log directory is considered a major configuration error, and it is not appropriate for Apache to blindly continue on trying to guess what it should do (and possibly not logging anything). Also, note that it is NOT only missing log directories that will cause Apache to fail to startup correctly, there are any number of major configuration errors that will cause it to do the same thing. On purpose. (7760948) /Marc Slemko <marcs@znep.com>/--(Ombruten)