Apache httpd 1.1.3 apache_status vulnerability

Summary

Description:	Older versions of Apache httpd would blindly follow symlinks and overwrite files with its /tmp/apache_status file.
Author:	Dean Gaudet (dgaudet@ARCTIC.ORG)
Compromise:	root (local)
Vulnerable Systems:	systems running Apache httpd v1.1.3 or lower on some architectures
Date:	16 February 1996

Details

Exploit:


Date: Sun, 16 Feb 1997 15:28:40 +0200
From: Mihai Ibanescu 
To: BUGTRAQ@NETSPACE.ORG
Subject: Bug in apache httpd 1.1.3

        Hello!

        I noticed something interesting on my RedHat linux system (and on
some other linuxes).
        httpd creates a file /tmp/apache_status, and follows blindly any
link if /tmp/apache_status points somewhere, for instance /etc/passwd. So
one can overwrite any file in the system. If she is able to create such a
link, and I don't think that's impossible.
        The funny thing is that I have apache 1.1.3 installed on a SPARC
Solaris, and the problem doesn't exist there. So am I paranoid, or is
there a problem in the Apache server?

                                                Misa

Department of Computer Science          Mihai Ibanescu
"Al. I. Cuza" Univ. of Iasi             e-mail: misa@infoiasi.ro
Romania                                 http://www.infoiasi.ro/~misa

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: