Bug in Apache 1.3.20 Server - Hackemate Research

• Previous message: auto241065at_private: "RE: Nimda affecting HP LaserJet / JetDirect devices?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This bug (?) affects: Apache/1.3.20 Server

        While, updating my site and checking out some things and
directories, I discovered something pretty interesting in the tmp
directory, there were three files, one with a "sem" extension and
the other two ones without anyone.

Files in Tmp directory:

· sess_0af4137ea55aa752a12971b3145d815b
· sess_b2e462409e859648ae96a2da84dc03ce
· session_mm.sem

Content of file "sess_0af4137ea55aa752a12971b3145d815b"

username|s:9:"matt";password|s:9:"secret";!status|lastlist|s:4:"acct";domain|s:16:"host";

as soon as i read it I realised it is nothing more and nothing less than
the server username and password to log in in PLAIN TEXT!
Obviously i changed it where "matt" is the real username and "SECRET" the password

Content of file "sess_b2e462409e859648ae96a2da84dc03ce"

username|s:9:"USERname";password|s:9:"password";!status|lastlist|s:4:"acct";domain|s:16:"host";

The last file "session_mm.sem" was empty

Research by WWW.HACKEMATE.COM <-- Contrasecurity Online


KerozenE 1999-2001 c0oL!
ICQ: 78480975
*********************************
Webmaster of www.hackemate.com.ar
hackemateat_private
*********************************
Moderator of the Security Mailing
http://www.eListas.net/lista/hackemate/alta
hackemate-altaat_private
*********************************
Editor of the EZine HC&KTM
http://www.hackemate.com.ar
hackemate-altaat_private
*********************************

• Next message: Antonio Vasconcelos: "Using NBAR to stop your users from geting Nimda from a web page"
• Previous message: auto241065at_private: "RE: Nimda affecting HP LaserJet / JetDirect devices?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Sep 22 2001 - 15:19:48 PDT