Hi. E.g. apache and postgresql stores logfiles which are themselves non-world-readable in directories which are world-readable. This can at least theoretically lead to unauthorized information disclosure (see below). There doesn't seem to be enough acceptance for this being a problem, as well as at least one inconvenience introduced by fixing this problem, therefore I ask this list to supply both pros and cons of this. Cf. #286737 and #286740. Example scenario: The attacker sends a HTTP GET request which she knows will trigger an unauthorized SQL query. There will be an error page returned, which will conceal the reason of the error, but the log will be more verbose. There will be only 2 possible reasons of the query: (1) the queried table doesn't exist, and (2) insufficient permissions to query the table. Log entry (1) will take at least n bytes of the logfile, log entry (2) at least n+m bytes, where n, m are whole numbers greater than zero. Comparing the log file size before and after the query, the attacker will know that if the sizes differ by less than n+m, the table doesn't exist. The error strings are by their very nature quite standardized, and have different lengths, and I suspect there are some usable albeit limited attacks that could employ this. Cheers, -- )^o-o^| jabber: rdancer@NJS.NetLab.Cz | .v K e-mail: jjminar FastMail FM ` - .' phone: +44(0)7981 738 696 \ __/Jan icq: 345 355 493 __|o|__Minář irc: rdancer@IRC.FreeNode.Net
Attachment:
pgpVRQvz3tesY.pgp
Description: PGP signature