[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mod_curb ridiculously unsafe tmp file creation

On Sun, Jan 29, 2006 at 11:57:04AM +0100, Eriam Schaffter wrote:
> Hello
> Why is that so unsafe ?

If I (as any unprivileged user) symlink /tmp/modcurb.log to anything
that the Apache user has access to, the module will blindly append it's
log data to that file, which can corrupt binary or structuralized text
files of any kind. No checking if /tmp/modcurb.log exists is done at

Anyway, /tmp is a pretty dumb location for a log file.

Jan Srzednicki