On Wed, Dec 22, 2004 at 09:57:13AM +0100, Fabio Massimo Di Nitto wrote: > tag 286740 - security > thanks > > Jan Minar wrote: > | Package: apache > | Version: 1.3.33-2 > | Severity: minor > | Tags: security > | > | Hi. > | > | /var/log/apache is world-readable, so users can e.g. check whether > | certain operation triggered an error. And given that the error strings > | are pretty standardized, they can guess what string has been added to > | the logfile, judging by the number of bytes that was appended to the > | log. > | > | As this is not very obvious to the system administrator, and as there is > | no use of /var/log/apache directory being readable and searchable while > | the files in it are not, apart from the information disclosure described > | above, I think it should be chmod-ed 750, just as the logs in it are > | chmod 640. > | > > There is no point in such operation. If a user have a local account > it also has at least a few other thousands options to make a DoS on apache. Apples and pears. Information disclosure and DoS. And BTW, fix the DoSes too. IMVHO, You should at least read the bugreports before You are closing them... -- )^o-o^| jabber: rdancer@NJS.NetLab.Cz | .v K e-mail: jjminar FastMail FM ` - .' phone: +44(0)7981 738 696 \ __/Jan icq: 345 355 493 __|o|__Minář irc: rdancer@IRC.FreeNode.Net
Attachment:
pgpaNotvhCJYO.pgp
Description: PGP signature