On Wed, Dec 22, 2004 at 07:05:13PM -0800, Matt Zimmerman wrote:
On Tue, Dec 21, 2004 at 09:41:35PM +, Jan Minar wrote:
Package: apache
Version: 1.3.33-2
Severity: minor
Tags: security
Hi.
/var/log/apache is world-readable, so users can e.g. check whether
certain
On Thu, Dec 23, 2004 at 01:20:02PM +, Jan Minar wrote:
On Wed, Dec 22, 2004 at 07:05:13PM -0800, Matt Zimmerman wrote:
The user can just as easily find out that an error was caused by noticing
the 5xx error returned by the server in response to the request.
Only if it was an error
On Thu, Dec 23, 2004 at 09:44:00AM -0800, Matt Zimmerman wrote:
On Thu, Dec 23, 2004 at 01:20:02PM +, Jan Minar wrote:
On Wed, Dec 22, 2004 at 07:05:13PM -0800, Matt Zimmerman wrote:
The user can just as easily find out that an error was caused by noticing
the 5xx error returned by
Processing commands for [EMAIL PROTECTED]:
tag 286740 - security
Bug#286740: apache: log directory should have same permissions as logfiles
(possible information disclosure)
Tags were: security
Tags removed: security
thanks
Stopping processing here.
Please contact me if you need assistance
On Wed, Dec 22, 2004 at 09:57:13AM +0100, Fabio Massimo Di Nitto wrote:
tag 286740 - security
thanks
Jan Minar wrote:
| Package: apache
| Version: 1.3.33-2
| Severity: minor
| Tags: security
|
| Hi.
|
| /var/log/apache is world-readable, so users can e.g. check whether
| certain
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jan Minar wrote:
| On Wed, Dec 22, 2004 at 09:57:13AM +0100, Fabio Massimo Di Nitto wrote:
|
|tag 286740 - security
|thanks
|
|Jan Minar wrote:
|| Package: apache
|| Version: 1.3.33-2
|| Severity: minor
|| Tags: security
||
|| Hi.
||
|| /var/log/apache
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[EMAIL PROTECTED] wrote:
| On Wed, Dec 22, 2004 at 11:44:54AM +0100, Fabio Massimo Di Nitto wrote:
|
| |There is no point in such operation. If a user have a local account
| |it also has at least a few other thousands options to make a DoS on
| apache.
Ce jour Wed, 22 Dec 2004, Fabio Massimo Di Nitto a dit:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[EMAIL PROTECTED] wrote:
| On Wed, Dec 22, 2004 at 11:44:54AM +0100, Fabio Massimo Di Nitto wrote:
|
it's funny, 'cause both of you have made good points. thing is, i've
already chmodded
On Wed, Dec 22, 2004 at 11:44:54AM +0100, Fabio Massimo Di Nitto wrote:
Jan Minar wrote:
| On Wed, Dec 22, 2004 at 09:57:13AM +0100, Fabio Massimo Di Nitto wrote:
|
|tag 286740 - security
|thanks
|
|Jan Minar wrote:
|| Package: apache
|| Version: 1.3.33-2
|| Severity: minor
|| Tags:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[EMAIL PROTECTED] wrote:
| Ce jour Wed, 22 Dec 2004, Fabio Massimo Di Nitto a dit:
|
|
|-BEGIN PGP SIGNED MESSAGE-
|Hash: SHA1
|
|[EMAIL PROTECTED] wrote:
|| On Wed, Dec 22, 2004 at 11:44:54AM +0100, Fabio Massimo Di Nitto wrote:
||
|
|
| it's
Ce jour Wed, 22 Dec 2004, Fabio Massimo Di Nitto a dit:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[EMAIL PROTECTED] wrote:
| Ce jour Wed, 22 Dec 2004, Fabio Massimo Di Nitto a dit:
|
| it's funny, 'cause both of you have made good points. thing is, i've
| already chmodded my apache*
On Tue, Dec 21, 2004 at 09:41:35PM +, Jan Minar wrote:
Package: apache
Version: 1.3.33-2
Severity: minor
Tags: security
Hi.
/var/log/apache is world-readable, so users can e.g. check whether
certain operation triggered an error. And given that the error strings
are pretty
Package: apache
Version: 1.3.33-2
Severity: minor
Tags: security
Hi.
/var/log/apache is world-readable, so users can e.g. check whether
certain operation triggered an error. And given that the error strings
are pretty standardized, they can guess what string has been added to
the logfile,
13 matches
Mail list logo