Downloading of others log files (security alert?)

MattF

Active Member
May 5, 2002
35
0
306
When I ftp to my user account with [email protected] I was able to view and download all accounts log files (excluding ftp logs). Correct me if I'm wrong but isnt this very serious, I could generate a map of someone site and if any information is sent via GET such as passwords or credit card info I could grab this from the logs.
 

Redman

Member
Jul 7, 2002
15
0
151
Just a thought, but shouldn't you email this to Nick instead of posting it on a public forum for everyone to see and possibly exploit?
 

Elena

Well-Known Member
Aug 10, 2001
108
1
316
California
I brought this up with my provider in July. You can stop this from happening by removing world read access (I think chmod 711) for /usr/local/apache/domlogs

It's only a security issue if you let it be one. :p
But you should mail Nick about it anyway... it would be nice if each user only had access to their own logs through this feature (dedicated IP clients have this, the users that see what MattF explained are IP-less accounts).

Redman, it's not really an exploit.. if the domlogs directory doesn't have the correct permissions then any user can get there though the shell.
 

carperman

Well-Known Member
Feb 7, 2002
150
0
316
Quote
I brought this up with my provider in July. You can stop this from happening by removing world read access (I think chmod 711) for /usr/local/apache/domlogs
/quote


this stops users from not only seeing others logs but their own!!
 

Elena

Well-Known Member
Aug 10, 2001
108
1
316
California
They can still download the rawlog from the cpanel (just not through this, what I see as unnecessary, FTP option).
 

MattF

Active Member
May 5, 2002
35
0
306
The problem with my /usr/local/apache/domlogs where that http access logs were set as root.root or similar ownership, is that just my setup?. Hence the soluton to set to 711 would disable any point of FTP access for logs, because no one would be able to download the logs, its closes the problem but disables the feature?. I have several clients that use FTP to download the logs hence why I pointed it out and have written a little script (see my other thread) which corrects the problem