7158085 2001-09-21 16:05 -0300  /52 rader/ Hackemate.com.ar <hackemate@softhome.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-09-23  00:23  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vuln-devs@securityfocus.com
Extern kopiemottagare: incidents@securityfocus.com
Externa svar till: hackemate@softhome.net
Mottagare: Bugtraq (import) <19273>
Ärende: Bug in Apache 1.3.20 Server - Hackemate Research
------------------------------------------------------------
From: "Hackemate.com.ar" <hackemate@softhome.net>
To: bugtraq@securityfocus.com
Cc: vuln-devs@securityfocus.com, incidents@securityfocus.com
Message-ID: <9670.010921@softhome.net>

This bug (?) affects: Apache/1.3.20 Server

        While, updating my site and checking out some things and
directories, I discovered something pretty interesting in the tmp
directory, there were three files, one with a "sem" extension and
the other two ones without anyone.

Files in Tmp directory:

· sess_0af4137ea55aa752a12971b3145d815b
· sess_b2e462409e859648ae96a2da84dc03ce
· session_mm.sem

Content of file "sess_0af4137ea55aa752a12971b3145d815b"

username|s:9:"matt";password|s:9:"secret";!status|lastlist|s:4:"acct";domain|s:16:"host";

as soon as i read it I realised it is nothing more and nothing less
than the server username and password to log in in PLAIN TEXT!
Obviously i changed it where "matt" is the real username and "SECRET"
the password

Content of file "sess_b2e462409e859648ae96a2da84dc03ce"

username|s:9:"USERname";password|s:9:"password";!status|lastlist|s:4:"acct";domain|s:16:"host";

The last file "session_mm.sem" was empty

Research by WWW.HACKEMATE.COM <-- Contrasecurity Online


KerozenE 1999-2001 c0oL!
ICQ: 78480975
*********************************
Webmaster of www.hackemate.com.ar
hackemate@softhome.net
*********************************
Moderator of the Security Mailing
http://www.eListas.net/lista/hackemate/alta
hackemate-alta@Elistas.net
*********************************
Editor of the EZine HC&KTM
Http://www.hackemate.com.ar
hackemate-alta@Elistas.net
*********************************
(7158085) /Hackemate.com.ar <hackemate@softhome.net>/(Ombruten)
Kommentar i text 7158885 av Grant Kaufmann <grantsec@netizen.co.za>
7158885 2001-09-23 18:42 -0400  /15 rader/ Grant Kaufmann <grantsec@netizen.co.za>
Sänt av: joel@lysator.liu.se
Importerad: 2001-09-23  05:40  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19276>
Kommentar till text 7158085 av Hackemate.com.ar <hackemate@softhome.net>
Ärende: Re: Bug in Apache 1.3.20 Server - Hackemate Research
------------------------------------------------------------
From: "Grant Kaufmann" <grantsec@netizen.co.za>
To: <bugtraq@securityfocus.com>
Message-ID: <00f201c14481$093b5d80$e201080a@noodle>

> This bug (?) affects: Apache/1.3.20 Server
This is a PHP issue and its not a bug.
This is the temporary session data for currently existing sessions. The files should be
owned by the www user and mode 600. If you don't like the data being stored there, feel
free to set the session_save_path variable in PHP >=4.0.0.

--
Grant
(7158885) /Grant Kaufmann <grantsec@netizen.co.za>/-