-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jan Minar wrote: | On Wed, Dec 22, 2004 at 09:57:13AM +0100, Fabio Massimo Di Nitto wrote: | |>tag 286740 - security |>thanks |> |>Jan Minar wrote: |>| Package: apache |>| Version: 1.3.33-2 |>| Severity: minor |>| Tags: security |>| |>| Hi. |>| |>| /var/log/apache is world-readable, so users can e.g. check whether |>| certain operation triggered an error. And given that the error strings |>| are pretty standardized, they can guess what string has been added to |>| the logfile, judging by the number of bytes that was appended to the |>| log. |>| |>| As this is not very obvious to the system administrator, and as there is |>| no use of /var/log/apache directory being readable and searchable while |>| the files in it are not, apart from the information disclosure described |>| above, I think it should be chmod-ed 750, just as the logs in it are |>| chmod 640. |>| |> |>There is no point in such operation. If a user have a local account |>it also has at least a few other thousands options to make a DoS on apache. | | | Apples and pears. Information disclosure and DoS. And BTW, fix the | DoSes too.
Oh GREAT.. so let see... i should go around the world changing all the hardware on the planet because each user on a machine can use ab or any kind of tool that can telnet to port 80 generating millions of requests on the localhost server? Therefor slowing down the machine? You are welcome to provide me the money to do so, together with patches to each config file for each apache server out there so that there will be always available resources.
| | IMVHO, You should at least read the bugreports before You are closing | them... |
So let see.. provide me a PoC that i can use to gather information out of this theorerical bug that can lead to DoS or privilege escalations and i will fix this bug immediatly.
Fabio
- -- Self-Service law: The last available dish of the food you have decided to eat, will be inevitably taken from the person in front of you. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFByVAkhCzbekR3nhgRAgbPAKCR8mO8qJ6QVeQckIbXrFnHWnW5TwCeNbqF m0InhwqL4T0+geIvD1jCqNw= =nHUG -----END PGP SIGNATURE-----