[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)

On Wed, Dec 22, 2004 at 11:44:54AM +0100, Fabio Massimo Di Nitto wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> |>There is no point in such operation. If a user have a local account
> |>it also has at least a few other thousands options to make a DoS on 
> apache.
> |
> |
> | Apples and pears.  Information disclosure and DoS.  And BTW, fix the
> | DoSes too.
> 
> Oh GREAT.. so let see... i should go around the world changing all the 
> hardware
> on the planet because each user on a machine can use ab or any kind of tool
> that can telnet to port 80 generating millions of requests on the localhost
> server? therefor slowing down the machine? 
No, No one ever asked you to do so. But please read your original statement -
are you _seriously_ suggesting that you won't fix a potential problem only
because there might be other problems as well? So, are your really saying that
apache can'T be used in a professional ISP environment (where customers share
servers and have local accounts)? Hmm, i should have a serious talk with our
providers then. 
BTW, your reply is rather murky on the technical side: the bug report doesn't
talk about a DOS, it mentions information leakage which is a differnt kind
of thread (and i hope you consider privacy important).

> you are welcome to provide me
> the money to do so, together with patches to each config file for each
> apache server out there so that there will be always available resources.

The OP just asked for a change of permission on the directory - what's so time-
consuming about that? When i learned system administration one of the key points
was to keep all configuration and logging data as private as possible. Can you
provide any reason for the logging directories _not_ having 750 permission?

> |
> | IMVHO, You should at least read the bugreports before You are closing
> | them...
> |
> 
> So let see.. provide me a PoC that i can use to gather information out
> of this theorerical bug that can lead to DoS or privilege escalations
> and i will fix this bug immediatly.

Apache does write to logfiles in buffered blocks. By monitoring the file 
io of the log file one can get a pretty good picture of the traffic amount
and access patterns for the corresponding server. Some of my customers _would_
consider this bussiness-confidential data ...
One can also monitor whether a certain scan/exploit etc. triggers logging to
the error log - this is pretty much like a login program that tells you that
a user doesn't exist :-)

BTW, why is it that a lot of bug reporters are greeted with irony/sarcasm
or neglectance here? The OP was neither rude nor did he panic nor did he 
request something unreasonable. Unfortunately the same can't be said about
the reply. Just to mention: that's the reason i've pretty much given up
reporting Apache bugs. 


Yours sincerly Ralf Mattes
> 
> Fabio
> 
> - --
> Self-Service law:
> The last available dish of the food you have decided to eat, will be
> inevitably taken from the person in front of you.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFByVAkhCzbekR3nhgRAgbPAKCR8mO8qJ6QVeQckIbXrFnHWnW5TwCeNbqF
> m0InhwqL4T0+geIvD1jCqNw=
> =nHUG
> -----END PGP SIGNATURE-----
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-apache-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact 
> listmaster@lists.debian.org
Reply to: