This was observed on an OpenLinux 2.3 system, after performing a full insallation of all packages. NOTE: I didn't see anything on this in the Bugtraq archive, so I'm assuming it's not a known issue. [root@noname /root]# rpm -q -f /home/httpd/cgi-bin/rpm_query OpenLinux-2.3-16 [root@noname /root]# Issue The rpm_query cgi allows any individual who can connect to the web server to obtain a listing of all rpm's installed on the system. Impact Attackers may use this information to identify what vulnerable software packages have been installed. Recommendation If this cgi is not required: # chmod 0 /home/httpd/cgi-bin/rpm_query If it is required, use Apache's access control features to restrict who may use it. harikiri -- "Unless you enter the tiger's lair, you cannot get hold of the tiger's cubs."
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:56 PDT