http://www.pcworld.com/article/id,134943-c,onlinesecurity/article.html By Jeremy Kirk IDG News Service July 23, 2007 Security analysts spotted a gaping security hole in Fox News Network LLC's Web site on Monday, revealing file directories and sensitive content, although it appears the problem has been fixed. Several directories were visible on a server for Fox News [1] that should normally not be accessible by a Web browser over the Internet. A systems administrator may have forgotten that the directories were viewable over the Internet or erroneously changed the permissions needed to view the directories, said Ronald van den Heetkamp, who runs the blog "The Hacker Webzine." [2] The Fox News site runs on the Apache Web server software on Ubuntu Linux. "This isn't a very clever idea," wrote van den Heetkamp, in an e-mail to IDG News Service. The security problem is "huge enough, and a few sensitive files have been found." Also exposed was an FTP (File Transfer Protocol) connection to ziffdavis.com, plus a username and a password in a bash file, which is a Linux shell script used in this case to automatically login into an FTP server and grab news headlines, van den Heetkamp said. It would be hard to directly exploit the Web server, but being able to see how the Web site is structured could open other ideas for an attack in the future, van den Heetkamp said. "They will have tons of people downloading their data right now as we speak, which is bad in any case," he said. Fox officials were not immediately available for comment. [1] http://www.foxnews.com/index.html [2] http://www.0x000000.com/index.php? _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jul 23 2007 - 22:13:51 PDT