You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Knute Johnson <ap...@knutejohnson.com> on 2012/11/19 03:39:58 UTC
[users@httpd] Exploit?
A total of 2 possible successful probes were detected (the following
URLs contain strings that match one or more of a listing of strings that
indicate a possible exploit):
/?mod=../../../../../../../../proc/self/environ%00 HTTP Response 200
/?page=../../../../../../../../proc/self/environ%00 HTTP Response 200
Above showed up in my log this morning. Anybody know what the exploit
could be and how one can prevent this?
Thanks,
knute...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Exploit?
Posted by Ben Johnson <be...@indietorrent.org>.
On 11/19/2012 9:54 AM, Miles Fidelman wrote:
> I'm guessing it might be trying a probe against a content management
> system that has a hole in it (e.g., Wordpress has been known to leak
> information in the past).
>
> Clearly some security scanner wrote those entries in your log file. If
> you have something checking for that kind of exploit, you might want to
> look at its documentation for details. (And report back!)
I see the same types of messages from Linux Logwatch, e.g.:
A total of 1 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):
/vtigercrm/graph.php?current_language=../../../../../../../..//etc/elastix.conf%00&module=Accounts&action
HTTP Response 301
My experience has been that these URLs need not exist for Logwatch to
include them in its output. We don't use vTiger CRM (whatever that may
be), so we ignore these entries.
Unless you have some CMS installed that accepts those query string
parameters (which WordPress might, as Isaac suggested), you can ignore
the messages.
If, on the other hand, you do use a CMS that may be vulnerable to this
type of exploit, be sure to perform due diligence and update it if
necessary.
Good luck!
-Ben
>
> Issac Goldstand wrote:
>> not sure what it thinks its matching but both of those urls will
>> return 200 with the homepage on a static site...
>>
>> Sent from my mobile. Please excuse any typos, spelling or other
>> weirdness.
>>
>>
>> Sent with AquaMail for Android
>> http://www.aqua-mail.com
>>
>>
>> On November 19, 2012 4:39:58 AM Knute Johnson
>> <ap...@knutejohnson.com> wrote:
>>> A total of 2 possible successful probes were detected (the following
>>> URLs contain strings that match one or more of a listing of strings that
>>> indicate a possible exploit):
>>>
>>> /?mod=../../../../../../../../proc/self/environ%00 HTTP Response
>>> 200
>>> /?page=../../../../../../../../proc/self/environ%00 HTTP
>>> Response 200
>>>
>>>
>>> Above showed up in my log this morning. Anybody know what the exploit
>>> could be and how one can prevent this?
>>>
>>> Thanks,
>>>
>>> knute...
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Exploit?
Posted by Miles Fidelman <mf...@meetinghouse.net>.
I'm guessing it might be trying a probe against a content management
system that has a hole in it (e.g., Wordpress has been known to leak
information in the past).
Clearly some security scanner wrote those entries in your log file. If
you have something checking for that kind of exploit, you might want to
look at its documentation for details. (And report back!)
Issac Goldstand wrote:
> not sure what it thinks its matching but both of those urls will
> return 200 with the homepage on a static site...
>
> Sent from my mobile. Please excuse any typos, spelling or other
> weirdness.
>
>
> Sent with AquaMail for Android
> http://www.aqua-mail.com
>
>
> On November 19, 2012 4:39:58 AM Knute Johnson
> <ap...@knutejohnson.com> wrote:
>> A total of 2 possible successful probes were detected (the following
>> URLs contain strings that match one or more of a listing of strings that
>> indicate a possible exploit):
>>
>> /?mod=../../../../../../../../proc/self/environ%00 HTTP Response
>> 200
>> /?page=../../../../../../../../proc/self/environ%00 HTTP
>> Response 200
>>
>>
>> Above showed up in my log this morning. Anybody know what the exploit
>> could be and how one can prevent this?
>>
>> Thanks,
>>
>> knute...
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Exploit?
Posted by Issac Goldstand <ma...@beamartyr.net>.
not sure what it thinks its matching but both of those urls will return
200 with the homepage on a static site...
Sent from my mobile. Please excuse any typos, spelling or other weirdness.
Sent with AquaMail for Android
http://www.aqua-mail.com
On November 19, 2012 4:39:58 AM Knute Johnson <ap...@knutejohnson.com> wrote:
> A total of 2 possible successful probes were detected (the following
> URLs contain strings that match one or more of a listing of strings that
> indicate a possible exploit):
>
> /?mod=../../../../../../../../proc/self/environ%00 HTTP Response 200
> /?page=../../../../../../../../proc/self/environ%00 HTTP Response 200
>
>
> Above showed up in my log this morning. Anybody know what the exploit
> could be and how one can prevent this?
>
> Thanks,
>
> knute...
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org