Some stable versions of net-www/apache-2* install configuration files (under /etc/apache2/conf) owned by apache:apache, allowing execution of arbitrary code if a user can hi-jack an app, or run a a malicious script, as the apache user (default). No POC, can provide one if needed .. :)
Well, it allows to execute arbitrary code as apache. So if you manage to get apache rights you can execute arbitrary code as apache... So it's not a hole in itself. It's just a bad mitigating factor, if someone achieves apache rights on a system it easily controls the whole Apache conf. Should be fixed, setting to "Default configs".
Created attachment 63372 [details] Initscript for apache that actually restarts apache
Oops. Wrong bugid. Please ignore the attachment.
Apache any news on this one?
This was fixed in 2.0.54-r7, from the ChangeLog: *apache-2.0.54-r7 (07 Jun 2005) 07 Jun 2005; Michael Stewart <vericgar@gentoo.org> +apache-2.0.54-r7.ebuild: Fix installation of configuration so that it's now owned by root instead of apache As there has been other security problems fixed in later revisions (see bug 98358) all arches should have the fix marked stable already.
Thx Michael.