RE: Bug in Apache 1.3.20 Server - Hackemate Research

From: Keith.Morgan (Keith.Morgan@Terradon.com)
Date: 09/24/01 

Message-ID: <C9E878EC530BD4118AE60050DAB6B732455617@v-king.kanawhastone.com>
From: "Keith.Morgan" <Keith.Morgan@Terradon.com>
To: "'Hackemate.com.ar'" <hackemate@softhome.net>
Subject: RE: Bug in Apache 1.3.20 Server - Hackemate Research
Date: Mon, 24 Sep 2001 09:56:10 -0400

I have some questions in-line:

> -----Original Message-----
> From: Hackemate.com.ar [mailto:hackemate@softhome.net]
> Sent: Friday, September 21, 2001 11:58 PM
> To: vuln-dev@securityfocus.com; incidents@securityfocus.com
> Subject: Bug in Apache 1.3.20 Server - Hackemate Research
>
>
> This bug (?) affects: Apache/1.3.20 Server
>
> While, updating my site and checking out some things and
> directories, I discovered something pretty interesting in the tmp
> directory, there were three files, one with a "sem" extension and
> the other two ones without anyone.
>
> Files in Tmp directory:
>
> · sess_0af4137ea55aa752a12971b3145d815b
> · sess_b2e462409e859648ae96a2da84dc03ce
> · session_mm.sem

Are these created by some application running on the box, or by the user
logging in against .htaccess? I'm assuming this would be relative the
htpasswd database, and not /etc/passwd (shadow).

>
> Content of file "sess_0af4137ea55aa752a12971b3145d815b"
>
> username|s:9:"matt";password|s:9:"secret";!status|lastlist|s:4
> :"acct";domain|s:16:"host";
>

What are the modes on these files? 0600 nobody? 0644 would DEFINITELY be a
problem.

> as soon as i read it I realised it is nothing more and
> nothing less than
> the server username and password to log in in PLAIN TEXT!
> Obviously i changed it where "matt" is the real username and
> "SECRET" the password
>
> Content of file "sess_b2e462409e859648ae96a2da84dc03ce"
>
> username|s:9:"USERname";password|s:9:"password";!status|lastli
st|s:4:"acct";domain|s:16:"host";
>
> The last file "session_mm.sem" was empty
>
> Research by WWW.HACKEMATE.COM <-- Contrasecurity Online
>
>
> KerozenE 1999-2001 c0oL!
> ICQ: 78480975
> *********************************
> Webmaster of www.hackemate.com.ar
> hackemate@softhome.net
> *********************************
> Moderator of the Security Mailing
> http://www.eListas.net/lista/hackemate/alta
> hackemate-alta@Elistas.net
> *********************************
> Editor of the EZine HC&KTM
> http://www.hackemate.com.ar
> hackemate-alta@Elistas.net
> *********************************
>
>

Relevant Pages

  • Apache 2.0.39 directory traversal and path disclosure bug
    ... An attacker can view ANY file in the system and execute ... The bug I have found about the directory traversal can be classified ... The bug was shown to the Apache Group some minutes after it's being ... obtaining more info about the server (important if the administrator ...
    (Bugtraq)
  • RE: Bug in Apache 1.3.20 Server - Hackemate Research
    ... Bug in Apache 1.3.20 Server - Hackemate Research ... The files in tmp starting with sess_ are files used to keep info about ...
    (Vuln-Dev)
  • Re: apache2 2.2 security
    ... I got a server with multiples vhosts. ... recently a bug was discovered on "struts2" ... because apache normalises it out for you. ...
    (comp.infosystems.www.servers.unix)
  • Re: How did DigitalMind change my index page?
    ... It isn't clear to me from your post if you are running apache on your own ... server or on a hosting service. ... apache, a misconfiguration of apache, a bug in a cgi script or server ...
    (comp.os.linux.misc)
  • RE: Bug in Apache 1.3.20 Server - Hackemate Research
    ... Bug in Apache 1.3.20 Server - Hackemate Research ... >> Files in Tmp directory: ... These are apache related logs, when apapche is compiled to use the mm ...
    (Vuln-Dev)