[Systems] False positive

Luke Faraone luke at faraone.cc
Fri Mar 13 08:23:08 EDT 2009


On Fri, Mar 13, 2009 at 6:39 AM, Bernie Innocenti <bernie at codewiz.org>wrote:

> >     /passwd HTTP Response 200
> >
> /index.php?cont=../../../../../../../../../../../../../../../etc/passwd%00
> HTTP Response 200
>
> These two entries in today's logwatch on sunjammer almost made me faint,
> but they're both false positives.
>
> /passwd is just the password change form.
>
> The second one comes from the new web site.  It returns 200, but doesn't
> discolose the contents of passwd.
>

I'm sure it doesn't, if it did it would be a major security flaw in DAC.
It's still not a false positive IMHO, since it was not something that should
occur normally. In other words, it was an *attempted* attack.

This episode reminded me that sunjammer has an unusually wide attack
> surrface, both local and remote.  Web applications are particularly
> nasty because they run promiscuously under the same uid.  Break one,
> and you gain access to everything under control of www-data, including
> the DB passwords.
>
> Maybe we should consider using suEXEC and suPHP for the applications we
> trust less:
>
>  http://wiki.apache.org/httpd/PrivilegeSeparation


Or better yet, why not isolate everything? :)



-- 
Luke Faraone
http://luke.faraone.cc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sugarlabs.org/private/systems/attachments/20090313/9f192964/attachment.htm 


More information about the Systems mailing list