Home page logo

bugtraq logo Bugtraq mailing list archives

OpenLinux 2.3: rpm_query
From: hariki () EL8 ORG (harikiri)
Date: Sat, 4 Mar 2000 12:32:04 -0800

This was observed on an OpenLinux 2.3 system, after performing a full
insallation of all packages.

NOTE: I didn't see anything on this in the Bugtraq archive, so I'm
assuming it's not a known issue.

[root () noname /root]# rpm -q -f /home/httpd/cgi-bin/rpm_query
[root () noname /root]#


The rpm_query cgi allows any individual who can connect to the web server
to obtain a listing of all rpm's installed on the system.


Attackers may use this information to identify what vulnerable software
packages have been installed.


If this cgi is not required:

        # chmod 0 /home/httpd/cgi-bin/rpm_query

If it is required, use Apache's access control features to restrict who
may use it.


"Unless you enter the tiger's lair, you cannot get hold of the tiger's cubs."

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]