[Systems] False positive
Luke Faraone
luke at faraone.cc
Fri Mar 13 08:23:08 EDT 2009
On Fri, Mar 13, 2009 at 6:39 AM, Bernie Innocenti <bernie at codewiz.org>wrote:
> > /passwd HTTP Response 200
> >
> /index.php?cont=../../../../../../../../../../../../../../../etc/passwd%00
> HTTP Response 200
>
> These two entries in today's logwatch on sunjammer almost made me faint,
> but they're both false positives.
>
> /passwd is just the password change form.
>
> The second one comes from the new web site. It returns 200, but doesn't
> discolose the contents of passwd.
>
I'm sure it doesn't, if it did it would be a major security flaw in DAC.
It's still not a false positive IMHO, since it was not something that should
occur normally. In other words, it was an *attempted* attack.
This episode reminded me that sunjammer has an unusually wide attack
> surrface, both local and remote. Web applications are particularly
> nasty because they run promiscuously under the same uid. Break one,
> and you gain access to everything under control of www-data, including
> the DB passwords.
>
> Maybe we should consider using suEXEC and suPHP for the applications we
> trust less:
>
> http://wiki.apache.org/httpd/PrivilegeSeparation
Or better yet, why not isolate everything? :)
--
Luke Faraone
http://luke.faraone.cc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sugarlabs.org/private/systems/attachments/20090313/9f192964/attachment.htm
More information about the Systems
mailing list