[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-cvs
Subject: svn commit: r542747 - /httpd/mod_ftp/trunk/patches/ftp.patch
From: wrowe () apache ! org
Date: 2007-05-30 4:22:57
Message-ID: 20070530042258.64E161A981A () eris ! apache ! org
[Download RAW message or body]
Author: wrowe
Date: Tue May 29 21:22:53 2007
New Revision: 542747
URL: http://svn.apache.org/viewvc?view=rev&rev=542747
Log:
Before extending the server directives with a richer ftp.patch,
scare the bejebus out of them.
Modified:
httpd/mod_ftp/trunk/patches/ftp.patch
Modified: httpd/mod_ftp/trunk/patches/ftp.patch
URL: http://svn.apache.org/viewvc/httpd/mod_ftp/trunk/patches/ftp.patch?view=diff&rev=542747&r1=542746&r2=542747
==============================================================================
--- httpd/mod_ftp/trunk/patches/ftp.patch (original)
+++ httpd/mod_ftp/trunk/patches/ftp.patch Tue May 29 21:22:53 2007
@@ -1,3 +1,23 @@
+#
+# WARNING: This patch enables the administrator to specify inbound
+# ftp-data port 20, ftps-data port 990, or other desired data ports,
+# and whichever outbound low numbered port bindings are desired to
+# avoid firewall issues. It does so by allowing each child worker
+# to seteuid back-to-root in order to bind to lower numbered ports,
+# whereupon mod_ftp will again seteuid to the configured User.
+#
+# That said, this patch also allows any remote code execution 0day
+# flaw or untrusted web server application to seteuid() BACK TO ROOT.
+# This is a serious issue that can't be understated.
+#
+# The httpd project STRONGLY RECOMMENDS YOU DO NOT APPLY THIS PATCH
+# and absolutely DO NOT APPLY IT if you allow arbitrary users to submit
+# perl, php and similar scripts for execution on your server. It is
+# worth the time to configure your firewalls appropriately to permit
+# traffic through higher numbered data ports (above port 1023).
+#
+# YOU HAVE BEEN WARNED
+#
Index: os/unix/unixd.c
===================================================================
RCS file: /home/cvs/httpd-2.0/os/unix/unixd.c,v
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic