oss-sec mailing list archives
Re: CVE request: nginx world-readable logdir
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 21 Feb 2013 12:44:09 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/21/2013 11:17 AM, Henri Salo wrote:
On Thu, Feb 21, 2013 at 06:50:14PM +0100, Agostino Sarubbo wrote:Hello, I just noticed my nginx logdir and its content are world-readable: drwxr-xr-x 2 root root 4096 Jan 10 00:11 . drwxr-xr-x 16 root root 4096 Feb 21 17:46 .. -rw-r--r-- 1 root root 69415 Feb 21 17:46 error_log -rw-r--r-- 1 root root 93017 Feb 18 22:03 localhost.access_log -rw-r--r-- 1 root root 86227 Feb 18 22:03 localhost.error_log What do you think about? -- Agostino Sarubbo / ago -at- gentoo.org Gentoo Linux DeveloperAlso affects Debian squeeze package. I will report a bug. Can we get a CVE assigned for this issue, thank you. -- Henri Salo
Ok is this like standard HTTPD style logs? If so then they would generally be considered sensitive (GET strings, etc.). Adding nginx to the cc so they know. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRJnkJAAoJEBYNRVNeJnmTogYQAIjhxGUtaPwlhIi7kwjlPJHh sZltN3ggmrz5KRCAhMPMYYxNoBR99Wsmdw/zLHTxKWCFUTrhP2d6g7VIuWum9947 KMpkkVLRmToVt9YVLiXvfHp+N0zdVKsMSNW0G8OxrpFCiecV3GzMuy++oQDUV57L w/5sHyG1qOM/0yXh0tVnnFGbw4RnOb+hlWfvDV3AyyxJBw7BoNP6+O/a0Z+6H85N cPSFEzsrZjhrb9oPwNq/am4IGxC+6/QaejcftUPuMSgGCuYVqd4l/17zcHU0v2P/ 7oKExsx93lapJr2aYlIs1BabAM4AN3zfbadTXrQGHCLuIgDoWHODA+9Uu3Lfvbr8 GoW6l+CaF4b4Q7LsC8ArPBiRp+wB0QKTfMsj2Y3TAunor6oytr+umB9Ph43yb2hG 38ViPFYVAEk0FDnf8BpJrWbTivZxgU0ATRu+VW5Hn5ZGsBR8X7kZRAzhvTdFFU2g 6Fb0GSdNwHaaqz42v2ZQDPpGj9TzxZMvIaeMU1BYxVdEdG8IKm94caAUhGzCKhSc Evj8ag49KqyjAD2pej58b4QY/g9yEEkptWr+LqrikimeRVpqXZCJJ4+b0p9pEvU5 qbTG/HsaucXO7hKdwC996palugLoA8RaSgUmocmCQl5yPiXo43rAhAC0gTyUpTN5 323PDSl7MT6RS70Lkxj4 =kJtZ -----END PGP SIGNATURE-----
Current thread:
- nginx world-readable logdir Agostino Sarubbo (Feb 21)
- Re: nginx world-readable logdir Henri Salo (Feb 21)
- CVE request: nginx world-readable logdir Henri Salo (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: CVE request: nginx world-readable logdir Anders Petersson (Feb 21)
- Re: CVE request: nginx world-readable logdir Anders Petersson (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: nginx world-readable logdir gremlin (Feb 22)
- Re: nginx world-readable logdir Kurt Seifried (Feb 22)
- Re: nginx world-readable logdir Henri Salo (Feb 22)
- Re: nginx world-readable logdir gremlin (Feb 22)
- nginx CVE-2013-0337 world-readable logs gremlin (Feb 23)