'svn commit: r542747 - /httpd/mod_ftp/trunk/patches/ftp.patch'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-cvs
Subject:    svn commit: r542747 - /httpd/mod_ftp/trunk/patches/ftp.patch
From:       wrowe () apache ! org
Date:       2007-05-30 4:22:57
Message-ID: 20070530042258.64E161A981A () eris ! apache ! org
[Download RAW message or body]

Author: wrowe
Date: Tue May 29 21:22:53 2007
New Revision: 542747

URL: http://svn.apache.org/viewvc?view=rev&rev=542747
Log:
Before extending the server directives with a richer ftp.patch, 
scare the bejebus out of them.

Modified:
    httpd/mod_ftp/trunk/patches/ftp.patch

Modified: httpd/mod_ftp/trunk/patches/ftp.patch
URL: http://svn.apache.org/viewvc/httpd/mod_ftp/trunk/patches/ftp.patch?view=diff&rev=542747&r1=542746&r2=542747
 ==============================================================================
--- httpd/mod_ftp/trunk/patches/ftp.patch (original)
+++ httpd/mod_ftp/trunk/patches/ftp.patch Tue May 29 21:22:53 2007
@@ -1,3 +1,23 @@
+#
+# WARNING: This patch enables the administrator to specify inbound
+# ftp-data port 20, ftps-data port 990, or other desired data ports,
+# and whichever outbound low numbered port bindings are desired to
+# avoid firewall issues.  It does so by allowing each child worker
+# to seteuid back-to-root in order to bind to lower numbered ports,
+# whereupon mod_ftp will again seteuid to the configured User.
+#
+# That said, this patch also allows any remote code execution 0day
+# flaw or untrusted web server application to seteuid() BACK TO ROOT.
+# This is a serious issue that can't be understated.
+#
+# The httpd project STRONGLY RECOMMENDS YOU DO NOT APPLY THIS PATCH
+# and absolutely DO NOT APPLY IT if you allow arbitrary users to submit
+# perl, php and similar scripts for execution on your server.  It is
+# worth the time to configure your firewalls appropriately to permit
+# traffic through higher numbered data ports (above port 1023).
+#
+# YOU HAVE BEEN WARNED
+#
 Index: os/unix/unixd.c
 ===================================================================
 RCS file: /home/cvs/httpd-2.0/os/unix/unixd.c,v


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic