[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)

Hash: SHA1

rm@fabula.de wrote:
| On Wed, Dec 22, 2004 at 11:44:54AM +0100, Fabio Massimo Di Nitto wrote:
| |>There is no point in such operation. If a user have a local account
| |>it also has at least a few other thousands options to make a DoS on
| apache.
| |
| |
| | Apples and pears.  Information disclosure and DoS.  And BTW, fix the
| | DoSes too.
| Oh GREAT.. so let see... i should go around the world changing all the
| hardware
| on the planet because each user on a machine can use ab or any kind of tool
| that can telnet to port 80 generating millions of requests on the localhost
| server? therefor slowing down the machine?
|> No, No one ever asked you to do so. But please read your original statement -
|> are you _seriously_ suggesting that you won't fix a potential problem only
|> because there might be other problems as well? So, are your really saying that
|> apache can'T be used in a professional ISP environment (where customers share
|> servers and have local accounts)? Hmm, i should have a serious talk with our
|> providers then.

This is a more than common problem on every kind of servers you run. There is
nothing new about it.
It can be apache, it can be whatever other service. On a network environment
the situation can be slightly different since you are limited (somehow) to the
available bw to provide a DoS. or to scan the network.. etc.

The fact that you already have access to the box will give you many otherways
to do whatever you want (or almost) on the machine. So if we really want to be
paranoid, why that user have local access in the first place?

If the user for example can write .htaccess file, it is enough for him to write
wrong entries in there to make the server generates errors, without even the need
of checking the log file.

|> BTW, your reply is rather murky on the technical side: the bug report doesn't
|> talk about a DOS, it mentions information leakage which is a differnt kind
|> of thread (and i hope you consider privacy important).

The example the OP has done about monitor error logs doesn't provide you any vital
information from the running server and even if you can barely guess what has been
written to the log file, there almost no use of these info. Remember that you are
not monitoring access.log that can contain real sensible data.

| you are welcome to provide me
| the money to do so, together with patches to each config file for each
| apache server out there so that there will be always available resources.
|> The OP just asked for a change of permission on the directory - what's so time-
|> consuming about that?
~ When i learned system administration one of the key points
|> was to keep all configuration and logging data as private as possible. Can you
|> provide any reason for the logging directories _not_ having 750 permission?

It is pointless since you cannot read the files.

| |
| | IMVHO, You should at least read the bugreports before You are closing
| | them...
| |
| So let see.. provide me a PoC that i can use to gather information out
| of this theorerical bug that can lead to DoS or privilege escalations
| and i will fix this bug immediatly.
|> Apache does write to logfiles in buffered blocks. By monitoring the file
|> io of the log file one can get a pretty good picture of the traffic amount
|> and access patterns for the corresponding server. Some of my customers _would_
|> consider this bussiness-confidential data ...

checking the file size doesn't provide enough information about the traffic or
access patterns. Your server could get one request for TeraByte of data or
1000000000 request for nothing and the log entries would change in size anyway
according to the requested URL. Therefor there is no match between amount and size
of the requests.

|> One can also monitor whether a certain scan/exploit etc. triggers logging to
|> the error log - this is pretty much like a login program that tells you that
|> a user doesn't exist :-)

If a user has access to the machine, he/she doesn't need to look at apache logs
to gather these information.

|> BTW, why is it that a lot of bug reporters are greeted with irony/sarcasm
|> or neglectance here?

A "security" bug as it claims to be is either serious or is not a security bug.
I have never heard of minor security bug. Did you?


- --
Self-Service law:
The last available dish of the food you have decided to eat, will be
inevitably taken from the person in front of you.
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


Reply to: