ID theft with Apache's suexec
Security services provider iDefense has reported a number of vulnerabilities in Apache's suexec helper application, with which a CGI script, for example, can be executed with the privileges of the owner of the script rather than those of the web server process. The vulnerabilities allow a local user to execute programs with another user's privileges. However, by default suexec can only be launched by the user in whose account the web server is running (e.g. "httpd"). suexec also limits the possible user and group IDs. The tool is included in Apache as standard, but is often, in Fedora for example, not activated by default. Users who do not use suexec can remove the Setuid bit as a preventive measure:
# chmod -s /path/to/suexec
The Apache team have responded to the notification from iDefense by stating that exploitation of the vulnerability requires an insecure configuration, in that the web server user has write privileges in the document root. They argue that suexec cannot possibly consider all possible insecure configurations. It can therefore be assumed that no fix is likely to be forthcoming.
- Apache HTTPD suEXEC Multiple Vulnerabilities from iDefense