These sess_- files look to me like the session-data php likes to save. It's up to the user where it stores this data (default is a /tmp dir) and what is more important it is up to the designer of that php-script WHAT it stores there. So if you choose to put your plain-text username and password there, no wonder it shows up. I wouldn't call this a vulnerability per se... Greets, Jay. At 00:58 22.09.2001 -0300, you wrote: >This bug (?) affects: Apache/1.3.20 Server > > While, updating my site and checking out some things and >directories, I discovered something pretty interesting in the tmp >directory, there were three files, one with a "sem" extension and >the other two ones without anyone. > >Files in Tmp directory: > >· sess_0af4137ea55aa752a12971b3145d815b >· sess_b2e462409e859648ae96a2da84dc03ce >· session_mm.sem > >Content of file "sess_0af4137ea55aa752a12971b3145d815b" > >username|s:9:"matt";password|s:9:"secret";!status|lastlist|s:4:"acct";domain|s:16:"host"; > >as soon as i read it I realised it is nothing more and nothing less than >the server username and password to log in in PLAIN TEXT! >Obviously i changed it where "matt" is the real username and "SECRET" the >password > >Content of file "sess_b2e462409e859648ae96a2da84dc03ce" > >username|s:9:"USERname";password|s:9:"password";!status|lastlist|s:4:"acct";domain|s:16:"host"; > >The last file "session_mm.sem" was empty > >Research by WWW.HACKEMATE.COM <-- Contrasecurity Online > > >KerozenE 1999-2001 c0oL! >ICQ: 78480975 >********************************* >Webmaster of www.hackemate.com.ar >hackemateat_private >********************************* >Moderator of the Security Mailing >http://www.eListas.net/lista/hackemate/alta >hackemate-altaat_private >********************************* >Editor of the EZine HC&KTM >http://www.hackemate.com.ar >hackemate-altaat_private >*********************************
This archive was generated by hypermail 2b30 : Sat Sep 22 2001 - 09:51:47 PDT