Full Disclosure mailing list archives
ws_ftp.log
From: Gaurang Pandya <gaubrig () yahoo com>
Date: Sun, 15 Aug 2004 05:19:02 -0700 (PDT)
Hi, WS_FTP is a popular & feature rich ftp client. It makes upload/download as easy as drag & drop. But mostly peoples using this forget that it creates a log file with name ws_ftp.log. This file holds sensitive data such as file source/destination and file name, date/time of upload etc., People when use this to upload files to their website, never know that along with other files even ws_ftp.log file also gets uploaded to the webserver, making it globally accessible. One can find thousands of ws_ftp.log files with a quick google search as follows, http://www.google.com/search?hl=en&ie=UTF-8&q=inurl%3Aws_ftp.log now people might use extensive google search to find files that have got copied to web server recently with following query, which will show you what files actually got copied in Auguts 2004, because its likely that those files will still be in there in web server. http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=2004.08+inurl%3Aws_ftp.log+&btnG=Search An attacker has a look at cached google page (without actually hitting the target & leaving traces at webserver logs) and quickly finds out some vital informations such as, 1. Exact location of file in web server (i.e., /usr/local/www/test/abc.htm instead of www.web.dom/test/abc.htm). 2. It some times also gives user names(in case where web master gives each user a directory to host their websites), which later can be used with brute force/dictonary attack to gain access to web server. 3. It makes it easy to find/download vulnerable scripts or classes in a website, with again just a google search, as given below. Which otherwise can be found by viewing source of html file. Which can later be use to attack the host. http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=class+2004.08+inurl%3Aws_ftp.log+ Other than that it also (sometimes) gives internal hostname/ip address of webserver. Recommendation: Please remove ws_ftp.log file from website after data movement, and webmasters are requested to scan/remove such files from webserver (in case files are uploaded by some one else). Which can easily be done by a cron job. Special Thanks to: Johnny Long (http://johnny.ihackstuff.com) for his wonderful work of "The Google Hackers Guide Understanding and Defending Against the Google Hacker" Thanks & Regards, Gaurang. http://www.geocities.com/gaurangpandya/ __________________________________ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- ws_ftp.log Gaurang Pandya (Aug 15)
- Re: ws_ftp.log Ill will (Aug 15)
- Re: ws_ftp.log morning_wood (Aug 15)
- Re: ws_ftp.log Steve Kudlak (Aug 15)
- <Possible follow-ups>
- Re: ws_ftp.log Hamby, Charles D. (Aug 16)
- Re: ws_ftp.log ChrisR- (Aug 16)
- Re: Re: ws_ftp.log Gaurang Pandya (Aug 16)