Suexec does not check correctly that the executed script is inside the docroot directory. It does chdir(AP_DOC_ROOT) getcwd(dwd, AP_MAXPATH) to get the docroot directory and then does a simple strncmp(cwd, dwd, strlen(dwd)) to compare it with the working directory. But getcwd returns the directory without a trailing slash (at least under linux). This means that, if AP_DOC_ROOT is set to e.g. /var/www, suexec will happily execute scripts under /var/www.bak . The same is true for userdir requests, i.e. /home/joe/public_html.bak will be accepted. As Joe Orton pointed out, this is http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1742 The advisory http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=511 also lists a race condition.
Created attachment 21780 [details] patch for suexec This patch should fix both issues, but I am not sure if the fchdir part is portable.
Created attachment 23383 [details] more simple patch This is simpler patch. It only tests whether NULL or '/' is exist on the end of cwd string.
(In reply to comment #2) > Created an attachment (id=23383) [details] > more simple patch > > This is simpler patch. > It only tests whether NULL or '/' is exist on the end of cwd string. Have you tested this in the case that the script is located directly in the document root (and not in a subdir?)
Oops.. I've forgotten to test that case... I have just tested whether it execs /var/www/test_args.cgi with AP_DOC_ROOT="/var/www". I also tested whether it doesn't exec /var/www-test/test_args.cgi. And it works for me. :)