Re: ETag leaking inode info

[Robin Wood <robin () digininja org>]

On 20 September 2012 21:22, Robin Wood <robin () digininja org> wrote:
> I've had both Nikto and Nessus recently report Apache ETags leaking
> inode information for example in the Nikto output below:
>
> <description><![CDATA[Server leaks inodes via ETags, header found with
> file /icons/README, inode: 491605, size: 4872, mtime:
> 0xbd8ce4c0]]></description>
>
> I understand that knowing the size and access time is a bit of info
> leakage but the stress is on the inode, can anyone explain why this is
> so bad? What can an attacker how knows an inode value do with it? I'd
> have thought if they had enough access to a machine to be accessing at
> the inode level then they would have full file system access anyway.
>
> Robin

Seeing as I've had no answers I'll answer myself...

I asked a lot of people this question while at Brucon and no one
managed to come up with a good reason why knowing the inode is a
really bad thing. We all agree that we should avoid leaking
information wherever possible but no one managed to come up with a
good use for a leaked inode.

If anyone wants to disagree please shout up.

Robin
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com