httpd (Apache 1.1.3)


    RedHat linux and possibly others (SPARC Solaris not!)


    Mihai  Ibanescu  <misa@THOR.INFOIASI.RO>  noticed  RedHat linux
    system  (and  on  some  other  linuxes)  that httpd creates a file
    /tmp/apache_status,   and    follows   blindly    any   link    if
    /tmp/apache_status points somewhere, for instance /etc/passwd.  So
    one can overwrite any file in the system.


    In 1.2b6 that file has been moved to  "logs/apache_runtime_status"
    which places it  in the ServerRoot.   There are also  some notices
    in the documentation about  the security implications of  log file
    and parent  directory ownership.   So the  problem is  effectively
    not there on systems that are configured correctly.

    A  temporary  fix  under  1.1.3  and  earlier  would be to add the
    following to your httpd.conf:

        ScoreBoardFile /path/to/root-writeable-only-directory/apache_status

    For some appropriate  directory.  But  note that the  same problem
    exists  with  all  the  log  files  as well, so your log directory
    should be root-writeable only.