|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: OpenLinux 2.3: rpm_query
From: harikiri (hariki
EL8.ORG)Date: Sat Mar 04 2000 - 14:32:04 CST
- Next message: Lamagra Argamal: "Re: [ Hackerslab bug_paper ] Linux dump buffer overflow"
- Previous message: Ronald Huizer: "Re: [ Hackerslab bug_paper ] Linux dump buffer overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This was observed on an OpenLinux 2.3 system, after performing a full
insallation of all packages.
NOTE: I didn't see anything on this in the Bugtraq archive, so I'm
assuming it's not a known issue.
[rootnoname /root]# rpm -q -f /home/httpd/cgi-bin/rpm_query
OpenLinux-2.3-16
[rootnoname /root]#
Issue
The rpm_query cgi allows any individual who can connect to the web server
to obtain a listing of all rpm's installed on the system.
Impact
Attackers may use this information to identify what vulnerable software
packages have been installed.
Recommendation
If this cgi is not required:
# chmod 0 /home/httpd/cgi-bin/rpm_query
If it is required, use Apache's access control features to restrict who
may use it.
harikiri
-- "Unless you enter the tiger's lair, you cannot get hold of the tiger's cubs."
- Next message: Lamagra Argamal: "Re: [ Hackerslab bug_paper ] Linux dump buffer overflow"
- Previous message: Ronald Huizer: "Re: [ Hackerslab bug_paper ] Linux dump buffer overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]