httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: [users@httpd] HTTPD 2.2.3 possible exploit?
Date Tue, 03 Jul 2007 02:22:18 GMT
Chris Robertson wrote:
> Where's the posix api and dl-functionality report?  Any specific
> keywords to narrow it down?

disable_*** in php.ini?

> I actually started with PHP as my most likely culprit but in digging in
> one of the servers that was compromised doesn't have any php web pages,
> i.e. the module is loaded but not in use.

well, is it possible it crossed process boundries to other processes also
running as user 'wwwrun'?

> I'm also somewhat confused as to how privileges were escalated since the
> httpd binaries were running as the user "wwwrun".  I'm not an Apache
> expert (obviously :) but my understanding was that all httpd processes
> would run under the effective permissions of that user, i.e. you'd need
> to get a buffer overflow (or similar) that got through the PHP layer and
> the httpd code before you could get a root level exploit.  Yeah/nay?

Whoops.  Don't tell us you started httpd as wwwrun?  That means you don't
have a protected space in .../logs etc that aren't writeable as wwwrun.

The point of starting apache as 'root', backing down to 'User wwwrun' is
that httpd the daemon can open otherwise protected files, and then discard
it's permissions to do any further damage.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message