[Systems] False positive

Bernie Innocenti bernie at codewiz.org
Fri Mar 13 06:39:48 EDT 2009


In today's logwatch:

>  --------------------- httpd Begin ------------------------ 
>  
>  A total of 2 sites probed the server 
>     134.2.222.10
>     157.86.255.6
>  
>  A total of 2 possible successful probes were detected (the following URLs
>  contain strings that match one or more of a listing of strings that
>  indicate a possible exploit):
>  
>     /passwd HTTP Response 200 
>     /index.php?cont=../../../../../../../../../../../../../../../etc/passwd%00 HTTP Response 200 

These two entries in today's logwatch on sunjammer almost made me faint,
but they're both false positives.

/passwd is just the password change form.

The second one comes from the new web site.  It returns 200, but doesn't
discolose the contents of passwd.

This episode reminded me that sunjammer has an unusually wide attack
surrface, both local and remote.  Web applications are particularly
nasty because they run promiscuously under the same uid.  Break one,
and you gain access to everything under control of www-data, including
the DB passwords.

Maybe we should consider using suEXEC and suPHP for the applications we
trust less:

  http://wiki.apache.org/httpd/PrivilegeSeparation

-- 
   // Bernie Innocenti - http://www.codewiz.org/
 \X/  Sugar Labs       - http://www.sugarlabs.org/


More information about the Systems mailing list