RE: Bug in Apache 1.3.20 Server - Hackemate Research

From: Keith.Morgan (Keith.Morganat_private)
Date: Mon Sep 24 2001 - 06:56:10 PDT

Next message: foobat_private: "Re: static dll's for windows buffer overflows"

Previous message: Enrique A. Compañ Gzz.: "Re: static dll's for windows buffer overflows"
Maybe in reply to: Hackemate.com.ar: "Bug in Apache 1.3.20 Server - Hackemate Research"
Next in thread: Ron DuFresne: "RE: Bug in Apache 1.3.20 Server - Hackemate Research"
Reply: Ron DuFresne: "RE: Bug in Apache 1.3.20 Server - Hackemate Research"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have some questions in-line:

> -----Original Message-----
> From: Hackemate.com.ar [mailto:hackemateat_private]
> Sent: Friday, September 21, 2001 11:58 PM
> To: vuln-devat_private; incidentsat_private
> Subject: Bug in Apache 1.3.20 Server - Hackemate Research
> 
> 
> This bug (?) affects: Apache/1.3.20 Server
> 
>         While, updating my site and checking out some things and
> directories, I discovered something pretty interesting in the tmp
> directory, there were three files, one with a "sem" extension and
> the other two ones without anyone.
> 
> Files in Tmp directory:
> 
> · sess_0af4137ea55aa752a12971b3145d815b
> · sess_b2e462409e859648ae96a2da84dc03ce
> · session_mm.sem

Are these created by some application running on the box, or by the user
logging in against .htaccess?  I'm assuming this would be relative the
htpasswd database, and not /etc/passwd (shadow).

> 
> Content of file "sess_0af4137ea55aa752a12971b3145d815b"
> 
> username|s:9:"matt";password|s:9:"secret";!status|lastlist|s:4
> :"acct";domain|s:16:"host";
> 

What are the modes on these files? 0600 nobody? 0644 would DEFINITELY be a
problem.

> as soon as i read it I realised it is nothing more and 
> nothing less than
> the server username and password to log in in PLAIN TEXT!
> Obviously i changed it where "matt" is the real username and 
> "SECRET" the password
> 
> Content of file "sess_b2e462409e859648ae96a2da84dc03ce"
> 
> username|s:9:"USERname";password|s:9:"password";!status|lastli
st|s:4:"acct";domain|s:16:"host";
> 
> The last file "session_mm.sem" was empty
> 
> Research by WWW.HACKEMATE.COM <-- Contrasecurity Online
> 
> 
> KerozenE 1999-2001 c0oL!
> ICQ: 78480975
> *********************************
> Webmaster of www.hackemate.com.ar
> hackemateat_private
> *********************************
> Moderator of the Security Mailing
> http://www.eListas.net/lista/hackemate/alta
> hackemate-altaat_private
> *********************************
> Editor of the EZine HC&KTM
> http://www.hackemate.com.ar
> hackemate-altaat_private
> *********************************
> 
>

Next message: foobat_private: "Re: static dll's for windows buffer overflows"
Previous message: Enrique A. Compañ Gzz.: "Re: static dll's for windows buffer overflows"
Maybe in reply to: Hackemate.com.ar: "Bug in Apache 1.3.20 Server - Hackemate Research"
Next in thread: Ron DuFresne: "RE: Bug in Apache 1.3.20 Server - Hackemate Research"
Reply: Ron DuFresne: "RE: Bug in Apache 1.3.20 Server - Hackemate Research"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 24 2001 - 08:42:24 PDT