Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)
On Thu, Dec 23, 2004 at 09:44:00AM -0800, Matt Zimmerman wrote: > On Thu, Dec 23, 2004 at 01:20:02PM +0000, Jan Minar wrote: > > > On Wed, Dec 22, 2004 at 07:05:13PM -0800, Matt Zimmerman wrote: > > > The user can just as easily find out that an error was caused by noticing > > > the 5xx error returned by the server in response to the request. > > > > Only if it was an error returned to them. Also, the log files can have > > far more detail than just the error code. > > The detail is irrelevant, since the user can't read the file. In both > cases, they can find out that an error occurred. Please read the original bugreport. -- )^o-o^|jabber: [EMAIL PROTECTED] | .v Ke-mail: jjminar FastMail FM ` - .' phone: +44(0)7981 738 696 \ __/Jan icq: 345 355 493 __|o|__Minář irc: [EMAIL PROTECTED] pgpHq4B2Gf5qT.pgp Description: PGP signature
Bug#287012: apache: Should warn on nonsensical configuration
Package: apache Version: 1.3.33-2 Severity: wishlist It just took me 3 hours and a lots of cursing to find this: Listen 433 (Note the port numbers differ.) Under such circumstances, apache really should warn about possible misconfiguration. I don't know whether this can actually be a valid config setup. If not, erring, not warning would be more appropriate. Cheers, Jan. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (700, 'testing') Architecture: i386 (i686) Kernel: Linux 2.4.28-jan Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 (charmap=ISO-8859-2) Versions of packages apache depends on: ii apache-common 1.3.33-2 Support files for all Apache webse ii debconf 1.4.30.10Debian configuration management sy ii dpkg1.10.25 Package maintenance system for Deb ii libc6 2.3.2.ds1-18 GNU C Library: Shared libraries an ii libdb4.24.2.52-17Berkeley v4.2 Database Libraries [ ii libexpat1 1.95.8-1 XML parsing C library - runtime li ii libmagic1 4.12-1 File type determination library us ii logrotate 3.7-2Log rotation utility ii mime-support3.28-1 MIME files 'mime.types' & 'mailcap ii perl5.8.4-3 Larry Wall's Practical Extraction -- debconf information: apache/init: true apache/server-port: 80 apache/document-root: /var/www apache/server-admin: [EMAIL PROTECTED] apache/server-name: localhost * apache/enable-suexec: false -- )^o-o^|jabber: [EMAIL PROTECTED] | .v Ke-mail: jjminar FastMail FM ` - .' phone: +44(0)7981 738 696 \ __/Jan icq: 345 355 493 __|o|__Minář irc: [EMAIL PROTECTED] pgpKGBgBdH6yd.pgp Description: PGP signature
Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)
On Wed, Dec 22, 2004 at 07:05:13PM -0800, Matt Zimmerman wrote: > On Tue, Dec 21, 2004 at 09:41:35PM +0000, Jan Minar wrote: > > > Package: apache > > Version: 1.3.33-2 > > Severity: minor > > Tags: security > > > > Hi. > > > > /var/log/apache is world-readable, so users can e.g. check whether > > certain operation triggered an error. And given that the error strings > > are pretty standardized, they can guess what string has been added to > > the logfile, judging by the number of bytes that was appended to the > > log. > > > > As this is not very obvious to the system administrator, and as there is > > no use of /var/log/apache directory being readable and searchable while > > the files in it are not, apart from the information disclosure described > > above, I think it should be chmod-ed 750, just as the logs in it are > > chmod 640. > > I don't see a scenario where this could result in a meaningful security > issue. I do, but I don't think it's worth my time to write PoCs for every unimportant marginally important security issue out there. > The user can just as easily find out that an error was caused by noticing > the 5xx error returned by the server in response to the request. Only if it was an error returned to them. Also, the log files can have far more detail than just the error code. Cheers, -- )^o-o^|jabber: [EMAIL PROTECTED] | .v Ke-mail: jjminar FastMail FM ` - .' phone: +44(0)7981 738 696 \ __/Jan icq: 345 355 493 __|o|__Minář irc: [EMAIL PROTECTED] pgp5pzQMeHhb8.pgp Description: PGP signature
Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)
On Wed, Dec 22, 2004 at 11:44:54AM +0100, Fabio Massimo Di Nitto wrote: > Jan Minar wrote: > | On Wed, Dec 22, 2004 at 09:57:13AM +0100, Fabio Massimo Di Nitto wrote: > | > |>tag 286740 - security > |>thanks > |> > |>Jan Minar wrote: > |>| Package: apache > |>| Version: 1.3.33-2 > |>| Severity: minor > |>| Tags: security > |>| > |>| Hi. > |>| > |>| /var/log/apache is world-readable, so users can e.g. check whether > |>| certain operation triggered an error. And given that the error strings > |>| are pretty standardized, they can guess what string has been added to > |>| the logfile, judging by the number of bytes that was appended to the > |>| log. > |>| > |>| As this is not very obvious to the system administrator, and as there is > |>| no use of /var/log/apache directory being readable and searchable while > |>| the files in it are not, apart from the information disclosure described > |>| above, I think it should be chmod-ed 750, just as the logs in it are > |>| chmod 640. > |>| > |> > |>There is no point in such operation. If a user have a local account > |>it also has at least a few other thousands options to make a DoS on apache. > | > | > | Apples and pears. Information disclosure and DoS. And BTW, fix the > | DoSes too. > > Oh GREAT.. so let see... i should go around the world changing all the > hardware > on the planet because each user on a machine can use ab or any kind of tool > that can telnet to port 80 generating millions of requests on the localhost > server? Therefor slowing down the machine? You are welcome to provide me > the money to do so, together with patches to each config file for each > apache server out there so that there will be always available resources. I think the iptables or tcpwrapper packages maintainers can quote You really affordable prices. Nevertheless, it is not much of a relevance. > | > | IMVHO, You should at least read the bugreports before You are closing > | them... > | > > So let see.. provide me a PoC that i can use to gather information out > of this theorerical bug that can lead to DoS or privilege escalations > and i will fix this bug immediatly. I never talked about DoS or privilege escalation. It's an: *** unauthorized information disclosure *** Please stop whining and fix the bug. -- )^o-o^|jabber: [EMAIL PROTECTED] | .v Ke-mail: jjminar FastMail FM ` - .' phone: +44(0)7981 738 696 \ __/Jan icq: 345 355 493 __|o|__Minář irc: [EMAIL PROTECTED] pgpQpcscSxUCt.pgp Description: PGP signature
Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)
On Wed, Dec 22, 2004 at 09:57:13AM +0100, Fabio Massimo Di Nitto wrote: > tag 286740 - security > thanks > > Jan Minar wrote: > | Package: apache > | Version: 1.3.33-2 > | Severity: minor > | Tags: security > | > | Hi. > | > | /var/log/apache is world-readable, so users can e.g. check whether > | certain operation triggered an error. And given that the error strings > | are pretty standardized, they can guess what string has been added to > | the logfile, judging by the number of bytes that was appended to the > | log. > | > | As this is not very obvious to the system administrator, and as there is > | no use of /var/log/apache directory being readable and searchable while > | the files in it are not, apart from the information disclosure described > | above, I think it should be chmod-ed 750, just as the logs in it are > | chmod 640. > | > > There is no point in such operation. If a user have a local account > it also has at least a few other thousands options to make a DoS on apache. Apples and pears. Information disclosure and DoS. And BTW, fix the DoSes too. IMVHO, You should at least read the bugreports before You are closing them... -- )^o-o^|jabber: [EMAIL PROTECTED] | .v Ke-mail: jjminar FastMail FM ` - .' phone: +44(0)7981 738 696 \ __/Jan icq: 345 355 493 __|o|__Minář irc: [EMAIL PROTECTED] pgpMhbDf99EMX.pgp Description: PGP signature
Bug#286740: apache: log directory should have same permissions as logfiles (possible information disclosure)
Package: apache Version: 1.3.33-2 Severity: minor Tags: security Hi. /var/log/apache is world-readable, so users can e.g. check whether certain operation triggered an error. And given that the error strings are pretty standardized, they can guess what string has been added to the logfile, judging by the number of bytes that was appended to the log. As this is not very obvious to the system administrator, and as there is no use of /var/log/apache directory being readable and searchable while the files in it are not, apart from the information disclosure described above, I think it should be chmod-ed 750, just as the logs in it are chmod 640. Thanks. Jan. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (700, 'testing') Architecture: i386 (i686) Kernel: Linux 2.4.28-jan Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 (charmap=ISO-8859-2) Versions of packages apache depends on: ii apache-common 1.3.33-2 Support files for all Apache webse ii debconf 1.4.30.10Debian configuration management sy ii dpkg1.10.25 Package maintenance system for Deb ii libc6 2.3.2.ds1-18 GNU C Library: Shared libraries an ii libdb4.24.2.52-17Berkeley v4.2 Database Libraries [ ii libexpat1 1.95.8-1 XML parsing C library - runtime li ii libmagic1 4.12-1 File type determination library us ii logrotate 3.7-2Log rotation utility ii mime-support3.28-1 MIME files 'mime.types' & 'mailcap ii perl5.8.4-3 Larry Wall's Practical Extraction -- debconf information: apache/init: true apache/server-port: 80 apache/document-root: /var/www apache/server-admin: [EMAIL PROTECTED] apache/server-name: localhost * apache/enable-suexec: false -- )^o-o^|jabber: [EMAIL PROTECTED] | .v Ke-mail: jjminar FastMail FM ` - .' phone: +44(0)7981 738 696 \ __/Jan icq: 345 355 493 __|o|__Minář irc: [EMAIL PROTECTED] pgpzkgVkL4mfq.pgp Description: PGP signature
