On Wed, 2011-12-14 at 09:07 -0500, Brenda J. Butler wrote: > On Tue, Dec 13, 2011 at 12:37:11PM -0500, Bart Trojanowski wrote: > > 2011/12/13 Jean-Fran?ois Bilodeau <jfbilodeau [ at ] chronogears [ dot ] com> > > > > > It should, but if the probe was successful with > > > /?file=../../../../../../proc/self/environ%00, that tells me that the index > > > may be a script (ie: index.php instead of index.html). > > > > > > Another possibility is that the query string was indeed ignored, and there > > > is no security hole. > > > > > > Jeff: have you tried to /?file=../../../../../../proc/self/environ%00 url? > > > Did that return anything unwanted? > > > > > > > > > > http://www.jukie.net/~bart/html_test/?foo=foo > > > > html_test/index.html is just a static html. It returns 200. the foo=foo > > seems to be ignored. > > I tried it on my dynamic page (served by byteflow), and just got the > front page (as I would expect for a http://server/ url). > > I know my software will not look at the GET query part (the part after > ?) for the front page. > > I think it comes down to knowing what your server is going to do with > the GET query. If you actually have php, you may be able to configure > it to only serve pages that are part of your site, and to ignore (or > slap back in response to) requests for pages elsewhere on your > machine. I also see this in my logs so I asked google about it and found a few hits. One interesting one is on youtube where someone use it to exploit a website, http://www.youtube.com/watch?v=mY_mxbkqqwM , and that was uploaded nov 17 2011, and if it was done that recent then they are behind on patching I found some discussion around the problem at http://lwn.net/Articles/191954/ Tested it on some of my sites, checked my logs for anything else then probes and apparmor for denied logs but didn't find any so I guess I don't have an issue on my servers. If you have anything that looks like a bit more then a probe you could have a problem but otherwise it seems to be more of yet another scripted attack log added now and then. /ps > bjb > _______________________________________________ > Linux mailing list > Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca > http://oclug.on.ca/mailman/listinfo/linux
Attachment:
signature.asc
Description: This is a digitally signed message part