[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [suse-security] Re: SSH and Apache warnings Nessus




> -----Ursprungliche Nachricht-----
> Von: Stefan Andreas Tichy [mailto:listuser@xxxxxxxxx]
> Gesendet: Montag, 6. Oktober 2003 14:42
> An: suse-security@xxxxxxxx
> Betreff: [suse-security] Re: SSH and Apache warnings Nessus
> 
> 
> On Mon, Oct 06, 2003 at 08:09:37AM +0100, Hollweg, Daniel wrote:
> > I have two problems with a new installed SuSe Linux 
> Professional 8.2.
> > All current patches are applied. Wehn I am scanning the box 
> with the 
> > nessus I get the following warnings:
> > 
> > - 	You are running a version of OpenSSH which is older than 3.7.1
> > 
> > - 	You are running OpenSSH-portable 3.6.1p1 or older.
> 
> If possible SuSE applies fixes to software versions 
> originally delivered
> with some SuSE distribution. Therefore upgrading to the newest
> versions is not neccessary.
> 
> 
> > Is this O.K. and just an Nessus Problem with the SuSe version of 
> > SSH?
> 
> Yes
> 
> 
> > - 	The remote HTTP server allows an attacker to read 
> arbitrary files
> > 	on the remote web server, simply by adding a slash in 
> front of its name. 
> > 	Example: GET //etc/passwd will return /etc/passwd.
> 
> There has been a vulnerability in mod_rewrite, but it should be no
> problem using apache installed with SuSE 8.2.
> http://www.apacheweek.com/issues/00-09-22
> 
> > I already installed the newest SuSe Apache 1.3 package. 
> Where is the problem?
> > Amazing is that the GET request does not return the whole 
> passwd but only two 
> > lines.
> 
> Is this just some nessus information or did you reproduce the
> problem?

I tested it and it returns two lines of my /etc/passwd. Other files
like /etc/inittab result in a Error 403.

Here is a sample output:

root:*:0:0::/:/etc/ftponly
foo:x:502:503::/home/foo/public_html/./:/bin/false

Regards,
Daniel

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here