Web directories attacked with bad .htaccess

To: debian-security@lists.debian.org
Subject: Web directories attacked with bad .htaccess
From: Ramon Acedo <ramon@linux-labs.net>
Date: Fri, 27 Jan 2006 11:59:37 +0100
Message-id: <[🔎] 1138359577.445.30.camel@pangeadm.upc.es>

Hello,

In an up-to-date Debian Sarge box yesterday I found a lot of bad
.htaccess looking like this:

Options -MultiViews
ErrorDocument 404 //foldername/time.php

I found that many of them where located in 777 directories like the
smarty templates_c. Not all of them though. It has been a system wide
problem because it has affected to lots of folders of different users.

This was producing an apache Internal Sever Error in every directory
they were located because of an "Options not allowed here"

As a measure I changed 777 to www-data owner + 755:

find . -perm 777  -exec chmod 755 {} \; -exec chown www-data {} \;

Where . was DocumentRoot

It won't hurt but I doubt it will solve the vulnerability

Any suggestions or similar experiences?

Thanks in advance.

Ramon

Reply to:

Follow-Ups:
- Re: Web directories attacked with bad .htaccess
  - From: Vladislav Kurz <vladislav.kurz@webstep.net>

Prev by Date: Re: PaX on Debian
Next by Date: unsubscribe
Previous by thread: Re: PaX on Debian
Next by thread: Re: Web directories attacked with bad .htaccess
Index(es):
- Date
- Thread