Re: Bug in Apache 1.3.20 Server - Hackemate Research

From: Carl Schmidt (carl@slackerbsd.org)
Date: 09/24/01 

Date: Mon, 24 Sep 2001 16:20:42 -0400
From: Carl Schmidt <carl@slackerbsd.org>
To: Bloed <bloed@pandora.be>, "'Hackemate.com.ar'" <hackemate@softhome.net>, vuln-dev@securityfocus.com, incidents@securityfocus.com
Subject: Re: Bug in Apache 1.3.20 Server - Hackemate Research
Message-ID: <20010924162042.A36155@slackerbsd.org>

On Mon, Sep 24, 2001 at 07:37:18PM +0200, Petr Baudis wrote:
> > Like you can see, the sess_ files permissions are -rw------- for user
> > root or www-data (like ja apache is installed)
> > All other users can't read the info (non of the same group nor the other
> > users)
> >
> > only the user running the apache server itself
> > so show me where the security leak is ?
> > I think its normal that apach itself can read the file and no one else
> > can!
> Well, IMHO storing a plain-text password is a problem anyway, and against
> the 'good-practices'. Tell me, why passwords are usually stored only in
> md5 hash form in /etc/shadow? It's readable only for root, so should be
> no problem ;-).
>
> Possible intruder which will gain apache's privilegies, can read the file
> and get the plaintext passwords *very* easily, w/o running any brute-force
> decoder on them. And that's a Bad Thing (tm).
>
As it has been said before -- this is not a problem with apache. Apache doesn't
write sess_whatever files...php does when using sessions.

If the initial emailer were concerned about where the files are being put they
can edit 'session.save_path' in php.ini. That is if they're using php (just
seems to be the likely thing...) 

-- 
Carl Schmidt
Just like the pied piper led rats through the streets
We dance like marionettes swaying to the symphony of destruction
http://slackerbsd.org/

Relevant Pages

  • Re: Subversion web development question.
    ... Because /usr/local/www/apache22/data is owned by root. ... I know that you can configure Apache to point to any directory, but was unsure of the consequences of pointing it at directories outside of ... > The development server is at the data center. ... > looks for the document root in a 'cpr' in our home directory. ...
    (freebsd-questions)
  • Re: apache question
    ... # Based upon the NCSA server configuration files originally by Rob McCool. ... # configuration directives that give the server its instructions. ... Directives that control the operation of the Apache server process as ...
    (alt.php)
  • Re: Apache and SSL
    ... # Based upon the NCSA server configuration files originally by Rob McCool. ... # This is the main Apache server configuration file. ... # configuration directives that give the server its instructions. ...
    (RedHat)
  • Re: Apache vs IIS
    ... Windows Server not on my Linux Server so there for I would chose IIS. ... Not that Apache is bad but ASP.NET is far easier and faster to create good web forms in. ... PHP on a IIS server is rather easy to run once you install PHP on a PC but if you only use PHP why not use Apache for Windows. ...
    (alt.php)
  • Re: HTTP servers on z/OS
    ... developed by the Apache Software Foundation. ... Also know as IHS ... "...the current IBM HTTP Server for z/OS and IHS for z/OS Powered by Apache, ...
    (bit.listserv.ibm-main)
Quantcast