I have some questions in-line: > -----Original Message----- > From: Hackemate.com.ar [mailto:hackemateat_private] > Sent: Friday, September 21, 2001 11:58 PM > To: vuln-devat_private; incidentsat_private > Subject: Bug in Apache 1.3.20 Server - Hackemate Research > > > This bug (?) affects: Apache/1.3.20 Server > > While, updating my site and checking out some things and > directories, I discovered something pretty interesting in the tmp > directory, there were three files, one with a "sem" extension and > the other two ones without anyone. > > Files in Tmp directory: > > · sess_0af4137ea55aa752a12971b3145d815b > · sess_b2e462409e859648ae96a2da84dc03ce > · session_mm.sem Are these created by some application running on the box, or by the user logging in against .htaccess? I'm assuming this would be relative the htpasswd database, and not /etc/passwd (shadow). > > Content of file "sess_0af4137ea55aa752a12971b3145d815b" > > username|s:9:"matt";password|s:9:"secret";!status|lastlist|s:4 > :"acct";domain|s:16:"host"; > What are the modes on these files? 0600 nobody? 0644 would DEFINITELY be a problem. > as soon as i read it I realised it is nothing more and > nothing less than > the server username and password to log in in PLAIN TEXT! > Obviously i changed it where "matt" is the real username and > "SECRET" the password > > Content of file "sess_b2e462409e859648ae96a2da84dc03ce" > > username|s:9:"USERname";password|s:9:"password";!status|lastli st|s:4:"acct";domain|s:16:"host"; > > The last file "session_mm.sem" was empty > > Research by WWW.HACKEMATE.COM <-- Contrasecurity Online > > > KerozenE 1999-2001 c0oL! > ICQ: 78480975 > ********************************* > Webmaster of www.hackemate.com.ar > hackemateat_private > ********************************* > Moderator of the Security Mailing > http://www.eListas.net/lista/hackemate/alta > hackemate-altaat_private > ********************************* > Editor of the EZine HC&KTM > http://www.hackemate.com.ar > hackemate-altaat_private > ********************************* > >
This archive was generated by hypermail 2b30 : Mon Sep 24 2001 - 08:42:24 PDT