[Systems] False positive
luke at faraone.cc
Fri Mar 13 08:23:08 EDT 2009
On Fri, Mar 13, 2009 at 6:39 AM, Bernie Innocenti <bernie at codewiz.org>wrote:
> > /passwd HTTP Response 200
> HTTP Response 200
> These two entries in today's logwatch on sunjammer almost made me faint,
> but they're both false positives.
> /passwd is just the password change form.
> The second one comes from the new web site. It returns 200, but doesn't
> discolose the contents of passwd.
I'm sure it doesn't, if it did it would be a major security flaw in DAC.
It's still not a false positive IMHO, since it was not something that should
occur normally. In other words, it was an *attempted* attack.
This episode reminded me that sunjammer has an unusually wide attack
> surrface, both local and remote. Web applications are particularly
> nasty because they run promiscuously under the same uid. Break one,
> and you gain access to everything under control of www-data, including
> the DB passwords.
> Maybe we should consider using suEXEC and suPHP for the applications we
> trust less:
Or better yet, why not isolate everything? :)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Systems