On Mon, Dec 12, 2011 at 08:47:07AM -0800, Galen Seitz wrote:
> The following showed up in a logwatch report this morning. Should I
> be concerned? The system is running CentOS 5.7. It has some static
> pages under http, and squirrelmail, trac, viewvc, and other stuff
> under https. I haven't touched the configuration in months, just the
> normal yum updates.
>
> A total of 3 possible successful probes were detected (the following URLs
> contain strings that match one or more of a listing of strings that
> indicate a possible exploit):
>
> /?file=../../../../../../proc/self/environ%00 HTTP Response 200
> /?mod=../../../../../../proc/self/environ%00 HTTP Response 200
> /?page=../../../../../../proc/self/environ%00 HTTP Response 200
I imagine you'd feel more confortable with something like:
"GET /?file=../../../../../../proc/self/environ%00 HTTP/1.1" 404
And the requestor seeing something like:
Forbidden
You don't have permission to access / on this server.
Additionally, a 404 Not Found error was encountered while trying to use an
ErrorDocument to handle the request.
Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.17 with Suhosin-Patch
mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
Server at saunter.us Port 80
But Yes, you do have a concern: the file=../../... construction being allowed
means any web attacker can read any file
on your system the web server user can read.
(off to find the documentation about how to prevent this)
--
Michael Rasmussen, Portland Oregon
Other Adventures: http://www.jamhome.us/ or http://westy.saunter.us/
Fortune Cookie Fortune du jour:
It CAN'T be a bad decision, it resulted in CARROT CAKE!
~ http://questionablecontent.net/view.php?comic=1671
_______________________________________________
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug
