The Debian GNU/Linux 033_-F_NO_SETSID patch for the Apache HTTP Server 1.3.34-4 does not properly disassociate httpd from a controlling tty when httpd is started interactively, which allows local users to gain privileges to that tty via a CGI program that calls the TIOCSTI ioctl.
References
Configurations
Information
Published : 2007-03-03 11:19
Updated : 2017-07-28 18:29
NVD link : CVE-2006-7098
Mitre link : CVE-2006-7098
JSON object : View
CWE
CWE-264
Permissions, Privileges, and Access Controls
Products Affected
debian
- apache