[kwlug-disc] Identify this exploit?
Chris Irwin
chris at chrisirwin.ca
Sun Dec 29 19:19:36 EST 2019
On Sat, Dec 28, 2019 at 02:46:45PM -0500, John Van Ostrand wrote:
>There is more than one way a user agent can get the /etc/passwd file from a
>web server. One way is to exploit a bug in the web server software. Another
>way is for the administrator of the server to allow access in its
>configuration. If you change the <Directory /> directive to allow access
>and you have no system-wide security to prevent it, a user agent can access
>that file.
>
>So, yes, a horribly configured web server can allow access to that file.
SELinux is also a great help here, as it would block access to anything
a webserver shouldn't reasonably need to access. Even if your
application is broken, and your webserver is misconfigured.
--
Chris Irwin
email: chris at chrisirwin.ca
xmpp: chris at chrisirwin.ca
web: https://chrisirwin.ca
More information about the kwlug-disc
mailing list