Home page logo
/

bugtraq logo Bugtraq mailing list archives

OpenLinux 2.3: rpm_query
From: hariki () EL8 ORG (harikiri)
Date: Sat, 4 Mar 2000 12:32:04 -0800


This was observed on an OpenLinux 2.3 system, after performing a full
insallation of all packages.

NOTE: I didn't see anything on this in the Bugtraq archive, so I'm
assuming it's not a known issue.

[root () noname /root]# rpm -q -f /home/httpd/cgi-bin/rpm_query
OpenLinux-2.3-16
[root () noname /root]#

Issue

The rpm_query cgi allows any individual who can connect to the web server
to obtain a listing of all rpm's installed on the system.

Impact

Attackers may use this information to identify what vulnerable software
packages have been installed.

Recommendation

If this cgi is not required:

        # chmod 0 /home/httpd/cgi-bin/rpm_query

If it is required, use Apache's access control features to restrict who
may use it.

harikiri

--
"Unless you enter the tiger's lair, you cannot get hold of the tiger's cubs."



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault