The files in tmp starting with sess_ are files used to keep info about sessions used in ja apache (php)... the unique id after sess_ is the id the user gets when he starts a session with his browser Like you can see, the sess_ files permissions are -rw------- for user root or www-data (like ja apache is installed) All other users can't read the info (non of the same group nor the other users) only the user running the apache server itself so show me where the security leak is ? I think its normal that apach itself can read the file and no one else can! grtz, bloed -----Original Message----- From: Hackemate.com.ar [mailto:hackemateat_private] Sent: zaterdag 22 september 2001 5:58 To: vuln-devat_private; incidentsat_private Subject: Bug in Apache 1.3.20 Server - Hackemate Research This bug (?) affects: Apache/1.3.20 Server While, updating my site and checking out some things and directories, I discovered something pretty interesting in the tmp directory, there were three files, one with a "sem" extension and the other two ones without anyone. Files in Tmp directory: . sess_0af4137ea55aa752a12971b3145d815b . sess_b2e462409e859648ae96a2da84dc03ce . session_mm.sem Content of file "sess_0af4137ea55aa752a12971b3145d815b" username|s:9:"matt";password|s:9:"secret";!status|lastlist|s:4:"acct";do main|s:16:"host"; as soon as i read it I realised it is nothing more and nothing less than the server username and password to log in in PLAIN TEXT! Obviously i changed it where "matt" is the real username and "SECRET" the password Content of file "sess_b2e462409e859648ae96a2da84dc03ce" username|s:9:"USERname";password|s:9:"password";!status|lastlist|s:4:"ac ct";domain|s:16:"host"; The last file "session_mm.sem" was empty Research by WWW.HACKEMATE.COM <-- Contrasecurity Online KerozenE 1999-2001 c0oL! ICQ: 78480975 ********************************* Webmaster of www.hackemate.com.ar hackemateat_private ********************************* Moderator of the Security Mailing http://www.eListas.net/lista/hackemate/alta hackemate-altaat_private ********************************* Editor of the EZine HC&KTM http://www.hackemate.com.ar hackemate-altaat_private *********************************
This archive was generated by hypermail 2b30 : Sat Sep 22 2001 - 09:59:09 PDT