[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)



On Wed, Dec 22, 2004 at 07:05:13PM -0800, Matt Zimmerman wrote:
> On Tue, Dec 21, 2004 at 09:41:35PM +0000, Jan Minar wrote:
> 
> > Package: apache
> > Version: 1.3.33-2
> > Severity: minor
> > Tags: security
> > 
> > Hi.
> > 
> > /var/log/apache is world-readable, so users can e.g. check whether
> > certain operation triggered an error.  And given that the error strings
> > are pretty standardized, they can guess what string has been added to
> > the logfile, judging by the number of bytes that was appended to the
> > log.
> > 
> > As this is not very obvious to the system administrator, and as there is
> > no use of /var/log/apache directory being readable and searchable while
> > the files in it are not, apart from the information disclosure described
> > above, I think it should be chmod-ed 750, just as the logs in it are
> > chmod 640.
> 
> I don't see a scenario where this could result in a meaningful security
> issue.

I do, but I don't think it's worth my time to write PoCs for every
unimportant marginally important security issue out there.

> The user can just as easily find out that an error was caused by noticing
> the 5xx error returned by the server in response to the request.

Only if it was an error returned to them.  Also, the log files can have
far more detail than just the error code.

Cheers,
-- 
 )^o-o^|    jabber: rdancer@NJS.NetLab.Cz
 | .v  K    e-mail: jjminar FastMail FM
 `  - .'     phone: +44(0)7981 738 696
  \ __/Jan     icq: 345 355 493
 __|o|__Minář  irc: rdancer@IRC.FreeNode.Net

Attachment: pgpWK94RkRWYA.pgp
Description: PGP signature


Reply to: