On Mon, Dec 12, 2011 at 08:47:07AM -0800, Galen Seitz wrote: > The following showed up in a logwatch report this morning. Should I > be concerned? The system is running CentOS 5.7. It has some static > pages under http, and squirrelmail, trac, viewvc, and other stuff > under https. I haven't touched the configuration in months, just the > normal yum updates. > > A total of 3 possible successful probes were detected (the following URLs > contain strings that match one or more of a listing of strings that > indicate a possible exploit): > > /?file=../../../../../../proc/self/environ%00 HTTP Response 200 > /?mod=../../../../../../proc/self/environ%00 HTTP Response 200 > /?page=../../../../../../proc/self/environ%00 HTTP Response 200
I imagine you'd feel more confortable with something like: "GET /?file=../../../../../../proc/self/environ%00 HTTP/1.1" 404 And the requestor seeing something like: Forbidden You don't have permission to access / on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.17 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8 Server at saunter.us Port 80 But Yes, you do have a concern: the file=../../... construction being allowed means any web attacker can read any file on your system the web server user can read. (off to find the documentation about how to prevent this) -- Michael Rasmussen, Portland Oregon Other Adventures: http://www.jamhome.us/ or http://westy.saunter.us/ Fortune Cookie Fortune du jour: It CAN'T be a bad decision, it resulted in CARROT CAKE! ~ http://questionablecontent.net/view.php?comic=1671 _______________________________________________ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug