Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 14 Jun 2013 23:49:48 -0500
From: John Lightsey <john@...nuts.net>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: FD leakage for cgi program on
 Monkey HTTPD

On Fri, 2013-06-14 at 16:50 -0700, Seth Arnold wrote: 
> On Fri, Jun 14, 2013 at 04:40:29PM -0500, John Lightsey wrote:

> > I don't see how this issue is very different from CVE-2012-4442 and
> > CVE-2012-4443. Do you believe those CVEs were not appropriate?
> 
> CVE-2012-4442 and CVE-2012-4443 (failure to drop supplementary gids,
> failure to drop root uid and gid when running CGIs, for those reading
> along at home) were probably appropriate for two reasons: (a) Monkey
> probably made some effort at dropping privileges and just screwed it up
> in the same way everyone else did a decade earlier (b) no one expects a
> webserver to run as root once it has bound its sockets. Even a webserver
> claimed to be "lightweight" is _expected_ to drop all the unneeded
> privileges once running.

I would argue that no one will expect that giving a user the ability to
run CGI scripts in a particular virtualhost context on the system gives
them the ability to intercept and spoof traffic for all virtualhosts on
the system.

Monkey does include virtualhost support and mentions shared hosting as
an example usage scenario in the documentation.

http://monkey-project.com/documentation/virtual_hosts

> 
> But not all webservers are expected to try to enforce running CGIs with
> different security boundaries. Apache chose to try, and faults in their
> suEXEC ought to be allocated CVEs. I don't see anything on the Monkey
> website to document any suEXEC-alike functionality.
> 
> Obviously Kurt disagreed with me and allocated a CVE :) so in some sense
> this whole discussion is now hypothetical.

Indeed. I found it very interesting that you objected. To me this seemed
to be a relatively straightforward issue. I appreciate you explaining
your reasoning in more detail.



Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.