[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)

On Tue, Dec 21, 2004 at 09:41:35PM +0000, Jan Minar wrote:

> Package: apache
> Version: 1.3.33-2
> Severity: minor
> Tags: security
> Hi.
> /var/log/apache is world-readable, so users can e.g. check whether
> certain operation triggered an error.  And given that the error strings
> are pretty standardized, they can guess what string has been added to
> the logfile, judging by the number of bytes that was appended to the
> log.
> As this is not very obvious to the system administrator, and as there is
> no use of /var/log/apache directory being readable and searchable while
> the files in it are not, apart from the information disclosure described
> above, I think it should be chmod-ed 750, just as the logs in it are
> chmod 640.

I don't see a scenario where this could result in a meaningful security

The user can just as easily find out that an error was caused by noticing
the 5xx error returned by the server in response to the request.

 - mdz

Reply to: