Re: Bug in Apache 1.3.20 Server - Hackemate Research

[Carl Schmidt <carl () slackerbsd org>]

On Mon, Sep 24, 2001 at 07:37:18PM +0200, Petr Baudis wrote:
> > Like you can see, the sess_ files permissions are -rw------- for user
> > root or www-data (like ja apache is installed)
> > All other users can't read the info (non of the same group nor the other
> > users)
> >
> > only the user running the apache server itself
> > so show me where the security leak is ?
> > I think its normal that apach itself can read the file and no one else
> > can!
> Well, IMHO storing a plain-text password is a problem anyway, and against
> the 'good-practices'. Tell me, why passwords are usually stored only in
> md5 hash form in /etc/shadow? It's readable only for root, so should be
> no problem ;-).
>
> Possible intruder which will gain apache's privilegies, can read the file
> and get the plaintext passwords *very* easily, w/o running any brute-force
> decoder on them. And that's a Bad Thing (tm).
As it has been said before -- this is not a problem with apache. Apache doesn't
write sess_whatever files...php does when using sessions.

If the initial emailer were concerned about where the files are being put they
can edit 'session.save_path' in php.ini. That is if they're using php (just
seems to be the likely thing...)
-- 
Carl Schmidt
Just like the pied piper led rats through the streets
We dance like marionettes swaying to the symphony of destruction
http://slackerbsd.org/

Attachment: _bin
Description: