top | item 19571819

(no title)

ams6110 | 7 years ago

I still don't get it. CGI scripts would run with reduced privileges. The CVE description says "code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard"

What is the scoreboard?

discuss

chrismeller|7 years ago

It’s basically the list the master process keeps of the worker processes it has spun up. The workers can report back some stats that the master tracks about each. Apparently something in that report back process could be exploited to run arbitrary code.

yrro|7 years ago

Who on earth doesn't run CGI scripts, etc., as a separate user to the one that their apache workers run as?

unknown|7 years ago

[deleted]