Vulnerability Development mailing list archives
RE: Bug in Apache 1.3.20 Server - Hackemate Research
From: "Bloed" <bloed () pandora be>
Date: Sat, 22 Sep 2001 17:46:46 +0200
The files in tmp starting with sess_ are files used to keep info about sessions used in ja apache (php)... the unique id after sess_ is the id the user gets when he starts a session with his browser Like you can see, the sess_ files permissions are -rw------- for user root or www-data (like ja apache is installed) All other users can't read the info (non of the same group nor the other users) only the user running the apache server itself so show me where the security leak is ? I think its normal that apach itself can read the file and no one else can! grtz, bloed -----Original Message----- From: Hackemate.com.ar [mailto:hackemate () softhome net] Sent: zaterdag 22 september 2001 5:58 To: vuln-dev () securityfocus com; incidents () securityfocus com Subject: Bug in Apache 1.3.20 Server - Hackemate Research This bug (?) affects: Apache/1.3.20 Server While, updating my site and checking out some things and directories, I discovered something pretty interesting in the tmp directory, there were three files, one with a "sem" extension and the other two ones without anyone. Files in Tmp directory: . sess_0af4137ea55aa752a12971b3145d815b . sess_b2e462409e859648ae96a2da84dc03ce . session_mm.sem Content of file "sess_0af4137ea55aa752a12971b3145d815b" username|s:9:"matt";password|s:9:"secret";!status|lastlist|s:4:"acct";do main|s:16:"host"; as soon as i read it I realised it is nothing more and nothing less than the server username and password to log in in PLAIN TEXT! Obviously i changed it where "matt" is the real username and "SECRET" the password Content of file "sess_b2e462409e859648ae96a2da84dc03ce" username|s:9:"USERname";password|s:9:"password";!status|lastlist|s:4:"ac ct";domain|s:16:"host"; The last file "session_mm.sem" was empty Research by WWW.HACKEMATE.COM <-- Contrasecurity Online KerozenE 1999-2001 c0oL! ICQ: 78480975 ********************************* Webmaster of www.hackemate.com.ar hackemate () softhome net ********************************* Moderator of the Security Mailing http://www.eListas.net/lista/hackemate/alta hackemate-alta () Elistas net ********************************* Editor of the EZine HC&KTM Http://www.hackemate.com.ar hackemate-alta () Elistas net *********************************
Current thread:
- Bug in Apache 1.3.20 Server - Hackemate Research Hackemate.com.ar (Sep 22)
- RE: Bug in Apache 1.3.20 Server - Hackemate Research Bloed (Sep 22)
- Re: Bug in Apache 1.3.20 Server - Hackemate Research Petr Baudis (Sep 24)
- Re: Bug in Apache 1.3.20 Server - Hackemate Research Carl Schmidt (Sep 25)
- Re: Bug in Apache 1.3.20 Server - Hackemate Research Steve Grubb (Sep 30)
- Re: Bug in Apache 1.3.20 Server - Hackemate Research Petr Baudis (Sep 24)
- Re: Bug in Apache 1.3.20 Server - Hackemate Research Jay Gruner (Sep 22)
- <Possible follow-ups>
- RE: Bug in Apache 1.3.20 Server - Hackemate Research Keith.Morgan (Sep 24)
- RE: Bug in Apache 1.3.20 Server - Hackemate Research Ron DuFresne (Sep 25)
- RE: Bug in Apache 1.3.20 Server - Hackemate Research Bloed (Sep 22)