Re: Bug in Apache 1.3.20 Server - Hackemate Research

From: Petr Baudis (pasky@pasky.ji.cz)
Date: 09/24/01 

Date: Mon, 24 Sep 2001 19:37:18 +0200
From: Petr Baudis <pasky@pasky.ji.cz>
To: "Bloed" <bloed@pandora.be>
Subject: Re: Bug in Apache 1.3.20 Server - Hackemate Research
Message-ID: <20010924193717.X1149@pasky.ji.cz>

> Like you can see, the sess_ files permissions are -rw------- for user
> root or www-data (like ja apache is installed)
> All other users can't read the info (non of the same group nor the other
> users)
>
> only the user running the apache server itself
> so show me where the security leak is ?
> I think its normal that apach itself can read the file and no one else
> can!
Well, IMHO storing a plain-text password is a problem anyway, and against
the 'good-practices'. Tell me, why passwords are usually stored only in
md5 hash form in /etc/shadow? It's readable only for root, so should be
no problem ;-).

Possible intruder which will gain apache's privilegies, can read the file
and get the plaintext passwords *very* easily, w/o running any brute-force
decoder on them. And that's a Bad Thing (tm). 

-- 

				Petr "Pasky" Baudis
.                                                                       .
        n = ((n >>  1) & 0x55555555) | ((n <<  1) & 0xaaaaaaaa);
        n = ((n >>  2) & 0x33333333) | ((n <<  2) & 0xcccccccc);
        n = ((n >>  4) & 0x0f0f0f0f) | ((n <<  4) & 0xf0f0f0f0);
        n = ((n >>  8) & 0x00ff00ff) | ((n <<  8) & 0xff00ff00);
        n = ((n >> 16) & 0x0000ffff) | ((n << 16) & 0xffff0000);
                -- C code which reverses the bits in a word.
.                                                                       .
My public PGP key is on: http://pasky.ji.cz/~pasky/pubkey.txt
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s++:++ a--- C+++ UL++++$ P+ L+++ E--- W+ N !o K- w-- !O M-
!V PS+ !PE Y+ PGP+>++ t+ 5 X(+) R++ tv- b+ DI(+) D+ G e-> h! r% y?
------END GEEK CODE BLOCK------

Relevant Pages

  • Re: Subversion web development question.
    ... Because /usr/local/www/apache22/data is owned by root. ... I know that you can configure Apache to point to any directory, but was unsure of the consequences of pointing it at directories outside of ... > The development server is at the data center. ... > looks for the document root in a 'cpr' in our home directory. ...
    (freebsd-questions)
  • Apache Logs DNS Root server IP Addresses only
    ... This issue started happening after upgrading a server from a single ... contain only ROOT DNS server IP addresses for all virtual and non ... Three different people all associated with what I believe to be a root ... The Apache conf where the virtualhosts are defined: ...
    (comp.os.linux.networking)
  • Re: Working as root while Apache is running; how much a risk? (repost after subject line error)
    ... > client computer because my server PC doesn't have a monitor hooked up to ... I log in as root and the very first thing I do is "service ... > httpd stop". ... In this case they should be showing apache as the user. ...
    (Fedora)
  • Re: Apache 2.049 mod_rewrite
    ... The first process runs as root. ... actually provide the services) should run as apache. ... The others in this thread have told you, and I agree that the server ...
    (Fedora)
  • Re: Question on password visibilty?
    ... >I have been learning PHP on my own time and have an Apache server on my ... >server someday, the examples in my books seem to be wide open to the world. ... >Most use an HTML form that calls a separate php program. ... My solution is to put the passwords in an include ...
    (comp.lang.php)