OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-Disclosure] ws_ftp.log

From: Gaurang Pandya (gaubrigyahoo.com)
Date: Sun Aug 15 2004 - 07:19:02 CDT


Hi,

WS_FTP is a popular & feature rich ftp client. It
makes upload/download as easy as drag & drop. But
mostly peoples using this forget that it creates a log
file with name ws_ftp.log. This file holds sensitive
data such as file source/destination and file name,
date/time of upload etc., People when use this to
upload files to their website, never know that along
with other files even ws_ftp.log file also gets
uploaded to the webserver, making it globally
accessible.

One can find thousands of ws_ftp.log files with a
quick google search as follows,

http://www.google.com/search?hl=en&ie=UTF-8&q=inurl%3Aws_ftp.log

now people might use extensive google search to find
files that have got copied to web server recently with
following query, which will show you what files
actually got copied in Auguts 2004, because its likely
that those files will still be in there in web server.

http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=2004.08+inurl%3Aws_ftp.log+&btnG=Search

An attacker has a look at cached google page (without
actually hitting the target & leaving traces at
webserver logs) and quickly finds out some vital
informations such as,

1. Exact location of file in web server (i.e.,
/usr/local/www/test/abc.htm instead of
www.web.dom/test/abc.htm).

2. It some times also gives user names(in case where
web master gives each user a directory to host their
websites), which later can be used with brute
force/dictonary attack to gain access to web server.

3. It makes it easy to find/download vulnerable
scripts or classes in a website, with again just a
google search, as given below. Which otherwise can be
found by viewing source of html file. Which can later
be use to attack the host.

http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=class+2004.08+inurl%3Aws_ftp.log+

Other than that it also (sometimes) gives internal
hostname/ip address of webserver.

Recommendation:
Please remove ws_ftp.log file from website after data
movement, and webmasters are requested to scan/remove
such files from webserver (in case files are uploaded
by some one else). Which can easily be done by a cron
job.

Special Thanks to:
Johnny Long (http://johnny.ihackstuff.com) for his
wonderful work of "The Google Hackerís Guide
Understanding and Defending Against
the Google Hacker"

Thanks & Regards,

Gaurang.
http://www.geocities.com/gaurangpandya/

                
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html