Cherokee fails to drop root privileges after binding to port 80.
Cherokee is a compact, open-source web server. Cherokee is designed to start as root and drop root privileges after binding to port 80. However, versions of Cherokee prior to 0.2.7 fail to drop root privileges properly. By exploting the vulnerability described in CERT VU#711315 in these versions of Cherokee, attackers may execute arbitrary commands as root.
Remote attackers may run arbitrary commands as root.
Upgrade to Cherokee 0.2.7:
Thanks to GOBBLES Security Advisory for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
|Date First Published:||2002-09-24|
|Date Last Updated:||2002-09-24 15:53 UTC|