Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: nginx world-readable logdir
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 21 Feb 2013 12:44:09 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/21/2013 11:17 AM, Henri Salo wrote:
On Thu, Feb 21, 2013 at 06:50:14PM +0100, Agostino Sarubbo wrote:
Hello,

I just noticed my nginx logdir and its content are
world-readable:

drwxr-xr-x  2 root root  4096 Jan 10 00:11 . drwxr-xr-x 16 root
root  4096 Feb 21 17:46 .. -rw-r--r--  1 root root 69415 Feb 21
17:46 error_log -rw-r--r--  1 root root 93017 Feb 18 22:03
localhost.access_log -rw-r--r--  1 root root 86227 Feb 18 22:03
localhost.error_log

What do you think about?

-- Agostino Sarubbo / ago -at- gentoo.org Gentoo Linux Developer

Also affects Debian squeeze package. I will report a bug. Can we
get a CVE assigned for this issue, thank you.

-- Henri Salo


Ok is this like standard HTTPD style logs? If so then they would
generally be considered sensitive (GET strings, etc.). Adding nginx to
the cc so they know.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRJnkJAAoJEBYNRVNeJnmTogYQAIjhxGUtaPwlhIi7kwjlPJHh
sZltN3ggmrz5KRCAhMPMYYxNoBR99Wsmdw/zLHTxKWCFUTrhP2d6g7VIuWum9947
KMpkkVLRmToVt9YVLiXvfHp+N0zdVKsMSNW0G8OxrpFCiecV3GzMuy++oQDUV57L
w/5sHyG1qOM/0yXh0tVnnFGbw4RnOb+hlWfvDV3AyyxJBw7BoNP6+O/a0Z+6H85N
cPSFEzsrZjhrb9oPwNq/am4IGxC+6/QaejcftUPuMSgGCuYVqd4l/17zcHU0v2P/
7oKExsx93lapJr2aYlIs1BabAM4AN3zfbadTXrQGHCLuIgDoWHODA+9Uu3Lfvbr8
GoW6l+CaF4b4Q7LsC8ArPBiRp+wB0QKTfMsj2Y3TAunor6oytr+umB9Ph43yb2hG
38ViPFYVAEk0FDnf8BpJrWbTivZxgU0ATRu+VW5Hn5ZGsBR8X7kZRAzhvTdFFU2g
6Fb0GSdNwHaaqz42v2ZQDPpGj9TzxZMvIaeMU1BYxVdEdG8IKm94caAUhGzCKhSc
Evj8ag49KqyjAD2pej58b4QY/g9yEEkptWr+LqrikimeRVpqXZCJJ4+b0p9pEvU5
qbTG/HsaucXO7hKdwC996palugLoA8RaSgUmocmCQl5yPiXo43rAhAC0gTyUpTN5
323PDSl7MT6RS70Lkxj4
=kJtZ
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault