Re: Bug in Apache 1.3.20 Server - Hackemate Research

[Jay Gruner <getmyfax () gmx de>]

These sess_- files look to me like the session-data php likes to save. It's 
up to the user where it stores this data (default is a /tmp dir) and what 
is more important it is up to the designer of that php-script WHAT it 
stores there. So if you choose to put your plain-text username and password 
there, no wonder it shows up. I wouldn't call this a vulnerability per se...

Greets,
Jay.

At 00:58 22.09.2001 -0300, you wrote:
> This bug (?) affects: Apache/1.3.20 Server
>
>         While, updating my site and checking out some things and
> directories, I discovered something pretty interesting in the tmp
> directory, there were three files, one with a "sem" extension and
> the other two ones without anyone.
>
> Files in Tmp directory:
>
> · sess_0af4137ea55aa752a12971b3145d815b
> · sess_b2e462409e859648ae96a2da84dc03ce
> · session_mm.sem
>
> Content of file "sess_0af4137ea55aa752a12971b3145d815b"
>
> username|s:9:"matt";password|s:9:"secret";!status|lastlist|s:4:"acct";domain|s:16:"host";
>
> as soon as i read it I realised it is nothing more and nothing less than
> the server username and password to log in in PLAIN TEXT!
> Obviously i changed it where "matt" is the real username and "SECRET" the 
> password
>
> Content of file "sess_b2e462409e859648ae96a2da84dc03ce"
>
> username|s:9:"USERname";password|s:9:"password";!status|lastlist|s:4:"acct";domain|s:16:"host";
>
> The last file "session_mm.sem" was empty
>
> Research by WWW.HACKEMATE.COM <-- Contrasecurity Online
>
>
> KerozenE 1999-2001 c0oL!
> ICQ: 78480975
> *********************************
> Webmaster of www.hackemate.com.ar
> hackemate () softhome net
> *********************************
> Moderator of the Security Mailing
> http://www.eListas.net/lista/hackemate/alta
> hackemate-alta () Elistas net
> *********************************
> Editor of the EZine HC&KTM
> Http://www.hackemate.com.ar
> hackemate-alta () Elistas net
> *********************************