[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)



On Wed, Dec 22, 2004 at 11:44:54AM +0100, Fabio Massimo Di Nitto wrote:
> Jan Minar wrote:
> | On Wed, Dec 22, 2004 at 09:57:13AM +0100, Fabio Massimo Di Nitto wrote:
> |
> |>tag 286740 - security
> |>thanks
> |>
> |>Jan Minar wrote:
> |>| Package: apache
> |>| Version: 1.3.33-2
> |>| Severity: minor
> |>| Tags: security
> |>|
> |>| Hi.
> |>|
> |>| /var/log/apache is world-readable, so users can e.g. check whether
> |>| certain operation triggered an error.  And given that the error strings
> |>| are pretty standardized, they can guess what string has been added to
> |>| the logfile, judging by the number of bytes that was appended to the
> |>| log.
> |>|
> |>| As this is not very obvious to the system administrator, and as there is
> |>| no use of /var/log/apache directory being readable and searchable while
> |>| the files in it are not, apart from the information disclosure described
> |>| above, I think it should be chmod-ed 750, just as the logs in it are
> |>| chmod 640.
> |>|
> |>
> |>There is no point in such operation. If a user have a local account
> |>it also has at least a few other thousands options to make a DoS on apache.
> |
> |
> | Apples and pears.  Information disclosure and DoS.  And BTW, fix the
> | DoSes too.
> 
> Oh GREAT.. so let see... i should go around the world changing all the hardware
> on the planet because each user on a machine can use ab or any kind of tool
> that can telnet to port 80 generating millions of requests on the localhost
> server? Therefor slowing down the machine? You are welcome to provide me
> the money to do so, together with patches to each config file for each
> apache server out there so that there will be always available resources.

I think the iptables or tcpwrapper packages maintainers can quote You
really affordable prices.  Nevertheless, it is not much of a relevance.

> |
> | IMVHO, You should at least read the bugreports before You are closing
> | them...
> |
> 
> So let see.. provide me a PoC that i can use to gather information out
> of this theorerical bug that can lead to DoS or privilege escalations
> and i will fix this bug immediatly.

I never talked about DoS or privilege escalation.  It's an:

	*** unauthorized information disclosure ***

Please stop whining and fix the bug.


-- 
 )^o-o^|    jabber: rdancer@NJS.NetLab.Cz
 | .v  K    e-mail: jjminar FastMail FM
 `  - .'     phone: +44(0)7981 738 696
  \ __/Jan     icq: 345 355 493
 __|o|__Minář  irc: rdancer@IRC.FreeNode.Net

Attachment: pgpL2NTGoSViH.pgp
Description: PGP signature


Reply to: