On Wed, Dec 22, 2004 at 11:44:54AM +0100, Fabio Massimo Di Nitto wrote: > Jan Minar wrote: > | On Wed, Dec 22, 2004 at 09:57:13AM +0100, Fabio Massimo Di Nitto wrote: > | > |>tag 286740 - security > |>thanks > |> > |>Jan Minar wrote: > |>| Package: apache > |>| Version: 1.3.33-2 > |>| Severity: minor > |>| Tags: security > |>| > |>| Hi. > |>| > |>| /var/log/apache is world-readable, so users can e.g. check whether > |>| certain operation triggered an error. And given that the error strings > |>| are pretty standardized, they can guess what string has been added to > |>| the logfile, judging by the number of bytes that was appended to the > |>| log. > |>| > |>| As this is not very obvious to the system administrator, and as there is > |>| no use of /var/log/apache directory being readable and searchable while > |>| the files in it are not, apart from the information disclosure described > |>| above, I think it should be chmod-ed 750, just as the logs in it are > |>| chmod 640. > |>| > |> > |>There is no point in such operation. If a user have a local account > |>it also has at least a few other thousands options to make a DoS on apache. > | > | > | Apples and pears. Information disclosure and DoS. And BTW, fix the > | DoSes too. > > Oh GREAT.. so let see... i should go around the world changing all the hardware > on the planet because each user on a machine can use ab or any kind of tool > that can telnet to port 80 generating millions of requests on the localhost > server? Therefor slowing down the machine? You are welcome to provide me > the money to do so, together with patches to each config file for each > apache server out there so that there will be always available resources. I think the iptables or tcpwrapper packages maintainers can quote You really affordable prices. Nevertheless, it is not much of a relevance. > | > | IMVHO, You should at least read the bugreports before You are closing > | them... > | > > So let see.. provide me a PoC that i can use to gather information out > of this theorerical bug that can lead to DoS or privilege escalations > and i will fix this bug immediatly. I never talked about DoS or privilege escalation. It's an: *** unauthorized information disclosure *** Please stop whining and fix the bug. -- )^o-o^| jabber: rdancer@NJS.NetLab.Cz | .v K e-mail: jjminar FastMail FM ` - .' phone: +44(0)7981 738 696 \ __/Jan icq: 345 355 493 __|o|__Minář irc: rdancer@IRC.FreeNode.Net
Attachment:
pgpig8B1VoRhV.pgp
Description: PGP signature