[Full-Disclosure] Mod-Throttle [was: client attacks server - XSS]

[zen-parse]

That reminds me...

>From http://www.snert.com/Software/mod_throttle/

...
Elements of the critical & shared memory code, as of mod_throttle/3.0, 
originally derived from the Apache Web Server source code. 
...

The elements of the shared memory code that were used were the same
elements that were buggy in Apache <= 1.3.26.

The outcome though is worse.

A local root exploit is possible if you gain access to the user apache
is running as, due to the module storing pointers in shared memory,
and a data file being writable by the same user.

(Yes, local root from apache is possible because the shutdown/startup 
stuff that is done by the parent process, which runs as root.)

Without the apache scoreboard bug, this is slightly harder to exploit,
as it requires getting the httpd to do a reload config, which used to be
possible via sending the SIGUSR1 to it.

Author was contacted 26 Jan 2002 and apparently he still hasn't got around 
to releasing version 4.0 which was going to fix the problem. 


-- zen-parse

-- 
-------------------------------------------------------------------------
1) If this message was posted to a public forum by zen-parse at gmx.net, it 
may be redistributed without modification. 
2) In any other case the contents of this message is confidential and not 
to be distributed in any form without express permission from the author.