WebApp Sec mailing list archives
Re: htaccess with apache
From: António Vasconcelos <vasco () all-2-it com>
Date: Fri, 07 Nov 2003 14:12:34 +0000
Tim Greer wrote:
the traditional buffer overflow in malloc() and memcpy() or strcpy() shows just that.How is this relevant to the permissions on passwd?
Just to show how easy is to do something that looks to be inocent and turns out to be a major security problem.
(unless your server isn't set up well), and save the resources since your server is secured properly. Oh well, to each their own, but I have to wonder when people make a big deal about something that's not.
I'm not talking about good/bad server setup.It's just that the username/password authentication mecanism is a weak one, and I know that, if possible, users will use a bad or easy to guess password. My experience tells me that about 10% of the users _do_ choose a pasword that can be retrived just from the username and GECOS fields, plus one or two digits.
So, disclosing the /etc/passwd file is something that should not be done, and should not be regarded as trivial. As it _may_ contain info valuable for someone that wants to break into your sistem. You should not regard anithing as trivial just because you don't know how (or if) it can be used against you.
-- António Vasconcelos /(Administrador de Sistemas) ALL2IT-Infocomunicações, SA Torre de Monsanto, 6º Piso Miraflores, Algés PORTUGAL Telf.: + 351 21 412 39 50 Fax.: + 351 21 410 51 94/*CONFIDENCIAL*: Esta mensagem contém informação confidencial ou material privilegiado, e é só intencionada para os seus destinatários. De acordo com a lei em vigor, se um erro originou que tenha recebido esta mensagem por engano pedimos que, de imediato, notifique o remetente e a apague do seu sistema sem a reproduzir. *CONFIDENTIAL*: This e-mail contains proprietary information, some or all of which may be legally privileged. It is for the intended recipients only. According to the law in force, if an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail and delete it from your system without retaining a copy.
................................................................................... Scanned OK by ALL-2-IT Anti-Virus Gateway
Current thread:
- Re: htaccess with apache, (continued)
- Re: htaccess with apache Sverre H. Huseby (Nov 04)
- Re: htaccess with apache Tim Tompkins (Nov 04)
- Re: htaccess with apache Lucas Holt (Nov 04)
- Re: htaccess with apache A.D.Douma (Nov 05)
- Re: htaccess with apache Graham Lally (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache António Vasconcelos (Nov 05)
- Re: htaccess with apache Tim Greer (Nov 05)
- Re: htaccess with apache António Vasconcelos (Nov 06)
- Re: htaccess with apache Tim Greer (Nov 06)
- Re: htaccess with apache António Vasconcelos (Nov 11)
- Re: htaccess with apache Tim Greer (Nov 11)
- Re: htaccess with apache Tim Greer (Nov 11)