Red Hat Bugzilla – Bug 112956
Hijacking Apache https by mod_php
Last modified: 2007-11-30 17:10:35 EST
Description of problem, how reproducible and steps to reproduce:
Mod_php under Apache 2.0.x leaks a critical file descriptor that
can be used to takeover (hijack) the https service.
All in all it's described at Bugtraq:
Version-Release number of selected component (if applicable):
I talked with a guy of php.net, he said, that it is an Apache
related problem, so something like that is maybe possible with
phyton, too. He said too, that Apache will provide a patch for
that - anytime...
Fixed httpd asap ;) the fix is like this:
fcntl( X, F_SETFD, FD_CLOEXEC );
But the question is where to place it, X should also be replaced
with the real variable's name.
Red Hat Linux 9 is vulnerable, too.
This "leaking" of file descriptors does not have security implications
unless you consider that the PHP interpreter provides a "security
sandbox" from which it is possible to run untrusted code. For further
information, read our write-up in ApacheWeek: