7158085 2001-09-21 16:05 -0300 /52 rader/ Hackemate.com.ar <hackemate@softhome.net> Sänt av: joel@lysator.liu.se Importerad: 2001-09-23 00:23 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Extern kopiemottagare: vuln-devs@securityfocus.com Extern kopiemottagare: incidents@securityfocus.com Externa svar till: hackemate@softhome.net Mottagare: Bugtraq (import) <19273> Ärende: Bug in Apache 1.3.20 Server - Hackemate Research ------------------------------------------------------------ From: "Hackemate.com.ar" <hackemate@softhome.net> To: bugtraq@securityfocus.com Cc: vuln-devs@securityfocus.com, incidents@securityfocus.com Message-ID: <9670.010921@softhome.net> This bug (?) affects: Apache/1.3.20 Server While, updating my site and checking out some things and directories, I discovered something pretty interesting in the tmp directory, there were three files, one with a "sem" extension and the other two ones without anyone. Files in Tmp directory: · sess_0af4137ea55aa752a12971b3145d815b · sess_b2e462409e859648ae96a2da84dc03ce · session_mm.sem Content of file "sess_0af4137ea55aa752a12971b3145d815b" username|s:9:"matt";password|s:9:"secret";!status|lastlist|s:4:"acct";domain|s:16:"host"; as soon as i read it I realised it is nothing more and nothing less than the server username and password to log in in PLAIN TEXT! Obviously i changed it where "matt" is the real username and "SECRET" the password Content of file "sess_b2e462409e859648ae96a2da84dc03ce" username|s:9:"USERname";password|s:9:"password";!status|lastlist|s:4:"acct";domain|s:16:"host"; The last file "session_mm.sem" was empty Research by WWW.HACKEMATE.COM <-- Contrasecurity Online KerozenE 1999-2001 c0oL! ICQ: 78480975 ********************************* Webmaster of www.hackemate.com.ar hackemate@softhome.net ********************************* Moderator of the Security Mailing http://www.eListas.net/lista/hackemate/alta hackemate-alta@Elistas.net ********************************* Editor of the EZine HC&KTM Http://www.hackemate.com.ar hackemate-alta@Elistas.net ********************************* (7158085) /Hackemate.com.ar <hackemate@softhome.net>/(Ombruten) Kommentar i text 7158885 av Grant Kaufmann <grantsec@netizen.co.za> 7158885 2001-09-23 18:42 -0400 /15 rader/ Grant Kaufmann <grantsec@netizen.co.za> Sänt av: joel@lysator.liu.se Importerad: 2001-09-23 05:40 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <19276> Kommentar till text 7158085 av Hackemate.com.ar <hackemate@softhome.net> Ärende: Re: Bug in Apache 1.3.20 Server - Hackemate Research ------------------------------------------------------------ From: "Grant Kaufmann" <grantsec@netizen.co.za> To: <bugtraq@securityfocus.com> Message-ID: <00f201c14481$093b5d80$e201080a@noodle> > This bug (?) affects: Apache/1.3.20 Server This is a PHP issue and its not a bug. This is the temporary session data for currently existing sessions. The files should be owned by the www user and mode 600. If you don't like the data being stored there, feel free to set the session_save_path variable in PHP >=4.0.0. -- Grant (7158885) /Grant Kaufmann <grantsec@netizen.co.za>/-