RE: Bug in Apache 1.3.20 Server - Hackemate Research

From: Bloed (bloedat_private)
Date: Sat Sep 22 2001 - 08:46:46 PDT

Next message: Blue Boar: "Re: wuftpd 2.6.1 (fake?) exploits"

Previous message: josmon m.: "wuftpd 2.6.1 (fake?) exploits"
In reply to: Hackemate.com.ar: "Bug in Apache 1.3.20 Server - Hackemate Research"
Next in thread: Petr Baudis: "Re: Bug in Apache 1.3.20 Server - Hackemate Research"
Next in thread: Keith.Morgan: "RE: Bug in Apache 1.3.20 Server - Hackemate Research"
Reply: Petr Baudis: "Re: Bug in Apache 1.3.20 Server - Hackemate Research"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The files in tmp starting with sess_ are files used to keep info about
sessions used in ja apache (php)... the unique id after sess_ is the id
the user gets when he starts a session with his browser

Like you can see, the sess_ files permissions are -rw------- for user
root or www-data (like ja apache is installed)
All other users can't read the info (non of the same group nor the other
users)

only the user running the apache server itself
so show me where the security leak is ?
I think its normal that apach itself can read the file and no one else
can!

grtz,
bloed


-----Original Message-----
From: Hackemate.com.ar [mailto:hackemateat_private] 
Sent: zaterdag 22 september 2001 5:58
To: vuln-devat_private; incidentsat_private
Subject: Bug in Apache 1.3.20 Server - Hackemate Research

This bug (?) affects: Apache/1.3.20 Server

        While, updating my site and checking out some things and
directories, I discovered something pretty interesting in the tmp
directory, there were three files, one with a "sem" extension and
the other two ones without anyone.

Files in Tmp directory:

. sess_0af4137ea55aa752a12971b3145d815b
. sess_b2e462409e859648ae96a2da84dc03ce
. session_mm.sem

Content of file "sess_0af4137ea55aa752a12971b3145d815b"

username|s:9:"matt";password|s:9:"secret";!status|lastlist|s:4:"acct";do
main|s:16:"host";

as soon as i read it I realised it is nothing more and nothing less than
the server username and password to log in in PLAIN TEXT!
Obviously i changed it where "matt" is the real username and "SECRET"
the password

Content of file "sess_b2e462409e859648ae96a2da84dc03ce"

username|s:9:"USERname";password|s:9:"password";!status|lastlist|s:4:"ac
ct";domain|s:16:"host";

The last file "session_mm.sem" was empty

Research by WWW.HACKEMATE.COM <-- Contrasecurity Online


KerozenE 1999-2001 c0oL!
ICQ: 78480975
*********************************
Webmaster of www.hackemate.com.ar
hackemateat_private
*********************************
Moderator of the Security Mailing
http://www.eListas.net/lista/hackemate/alta
hackemate-altaat_private
*********************************
Editor of the EZine HC&KTM
http://www.hackemate.com.ar
hackemate-altaat_private
*********************************

Next message: Blue Boar: "Re: wuftpd 2.6.1 (fake?) exploits"
Previous message: josmon m.: "wuftpd 2.6.1 (fake?) exploits"
In reply to: Hackemate.com.ar: "Bug in Apache 1.3.20 Server - Hackemate Research"
Next in thread: Petr Baudis: "Re: Bug in Apache 1.3.20 Server - Hackemate Research"
Next in thread: Keith.Morgan: "RE: Bug in Apache 1.3.20 Server - Hackemate Research"
Reply: Petr Baudis: "Re: Bug in Apache 1.3.20 Server - Hackemate Research"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Sep 22 2001 - 09:59:09 PDT