Re: CVE request: nginx world-readable logdir

[Anders Petersson <anders () xvx se>]

2013/2/21 Kurt Seifried <kseifried () redhat com>

> On 02/21/2013 11:17 AM, Henri Salo wrote:
> > On Thu, Feb 21, 2013 at 06:50:14PM +0100, Agostino Sarubbo wrote:
> > > Hello,
> > >
> > > I just noticed my nginx logdir and its content are
> > > world-readable:
> > >
> > > drwxr-xr-x  2 root root  4096 Jan 10 00:11 . drwxr-xr-x 16 root
> > > root  4096 Feb 21 17:46 .. -rw-r--r--  1 root root 69415 Feb 21
> > > 17:46 error_log -rw-r--r--  1 root root 93017 Feb 18 22:03
> > > localhost.access_log -rw-r--r--  1 root root 86227 Feb 18 22:03
> > > localhost.error_log
> > >
> > > What do you think about?
> > >
> > > -- Agostino Sarubbo / ago -at- gentoo.org Gentoo Linux Developer
> >
> > Also affects Debian squeeze package. I will report a bug. Can we
> > get a CVE assigned for this issue, thank you.
> >
> > -- Henri Salo
>
> Ok is this like standard HTTPD style logs? If so then they would
> generally be considered sensitive (GET strings, etc.). Adding nginx to
> the cc so they know.

They are httpd-style logs:

$ tail -1 /var/log/nginx/access.log
85._._._ - - [21/Feb/2013:18:_:_ +0100] "GET /w00tw00t.at.ISC.SANS.DFind:)
HTTP/1.1" 400 172 "-" "-"

However on Debian Squeeze the logs themselves are not world-readable (at
least on my system):

$ ls -la /var/log/nginx/
total 452
drwxr-xr-x 2 root     root  4096 Feb 21 06:25 .
drwxr-xr-x 9 root     root  4096 Feb 21 06:25 ..
-rw-r----- 1 www-data adm    934 Feb 21 18:40 access.log
-rw-r----- 1 www-data adm  20134 Feb 21 03:46 access.log.1

--
Anders Petersson