On Wednesday, 2004-01-21 at 22:53:33 -0000, Steve Grubb wrote: > Product: mod_perl > Versions: 1.99_09 / apache 2.0.47 > URL: http://perl.apache.org > Impact: Daemon Hijacking > Bug class: Leaked Descriptor > Vendor notified: Yes > Fix available: No > Date: 01/21/04 > Issue: > ====== > Mod_perl under apache 2.0.x leaks critical file descriptors that can be used to takeover (hijack) the http and https services. It does not leak them. Your code reopens them. Installing your code requires superuser permissions. Or the willingness of the admin of the machine to trust people with the right to install code that runs inside Apache. Much the same can be done with anything that runs inside Apache. For example, mod_php. So in essence you are complaining that an Apache extensions has the right to do anything inside Apache it can be programmed to do. For example, to receive POST data, the extension code has to be able to access the FD that connects to the browser. It also has to be able to write to that FD to send a reply. To write to a log, it needs write access (mostly through the Apache ABI) to the log filedescriptors. Can you suggest a way to avoid this? I have forwarded your mail to the mod_perl mailing list, which I'm also Ccing on this mail. Had you taken your problem there first, this silliness could have been avoided. The thread starts at http://marc.theaimsgroup.com/?l=apache-modperl&m=107475920405755&w=2 Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
