[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)



On Wed, Dec 22, 2004 at 09:57:13AM +0100, Fabio Massimo Di Nitto wrote:
> tag 286740 - security
> thanks
> 
> Jan Minar wrote:
> | Package: apache
> | Version: 1.3.33-2
> | Severity: minor
> | Tags: security
> |
> | Hi.
> |
> | /var/log/apache is world-readable, so users can e.g. check whether
> | certain operation triggered an error.  And given that the error strings
> | are pretty standardized, they can guess what string has been added to
> | the logfile, judging by the number of bytes that was appended to the
> | log.
> |
> | As this is not very obvious to the system administrator, and as there is
> | no use of /var/log/apache directory being readable and searchable while
> | the files in it are not, apart from the information disclosure described
> | above, I think it should be chmod-ed 750, just as the logs in it are
> | chmod 640.
> |
> 
> There is no point in such operation. If a user have a local account
> it also has at least a few other thousands options to make a DoS on apache.

Apples and pears.  Information disclosure and DoS.  And BTW, fix the
DoSes too.

IMVHO, You should at least read the bugreports before You are closing
them...

-- 
 )^o-o^|    jabber: rdancer@NJS.NetLab.Cz
 | .v  K    e-mail: jjminar FastMail FM
 `  - .'     phone: +44(0)7981 738 696
  \ __/Jan     icq: 345 355 493
 __|o|__Minář  irc: rdancer@IRC.FreeNode.Net

Attachment: pgpWWUGn3Xhd9.pgp
Description: PGP signature


Reply to: