oss-sec mailing list archives
Re: CVE request: nginx world-readable logdir
From: Anders Petersson <anders () xvx se>
Date: Thu, 21 Feb 2013 21:05:12 +0100
2013/2/21 Kurt Seifried <kseifried () redhat com>
On 02/21/2013 11:17 AM, Henri Salo wrote:On Thu, Feb 21, 2013 at 06:50:14PM +0100, Agostino Sarubbo wrote:Hello, I just noticed my nginx logdir and its content are world-readable: drwxr-xr-x 2 root root 4096 Jan 10 00:11 . drwxr-xr-x 16 root root 4096 Feb 21 17:46 .. -rw-r--r-- 1 root root 69415 Feb 21 17:46 error_log -rw-r--r-- 1 root root 93017 Feb 18 22:03 localhost.access_log -rw-r--r-- 1 root root 86227 Feb 18 22:03 localhost.error_log What do you think about? -- Agostino Sarubbo / ago -at- gentoo.org Gentoo Linux DeveloperAlso affects Debian squeeze package. I will report a bug. Can we get a CVE assigned for this issue, thank you. -- Henri SaloOk is this like standard HTTPD style logs? If so then they would generally be considered sensitive (GET strings, etc.). Adding nginx to the cc so they know.
They are httpd-style logs: $ tail -1 /var/log/nginx/access.log 85._._._ - - [21/Feb/2013:18:_:_ +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 172 "-" "-" However on Debian Squeeze the logs themselves are not world-readable (at least on my system): $ ls -la /var/log/nginx/ total 452 drwxr-xr-x 2 root root 4096 Feb 21 06:25 . drwxr-xr-x 9 root root 4096 Feb 21 06:25 .. -rw-r----- 1 www-data adm 934 Feb 21 18:40 access.log -rw-r----- 1 www-data adm 20134 Feb 21 03:46 access.log.1 -- Anders Petersson
Current thread:
- nginx world-readable logdir Agostino Sarubbo (Feb 21)
- Re: nginx world-readable logdir Henri Salo (Feb 21)
- CVE request: nginx world-readable logdir Henri Salo (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: CVE request: nginx world-readable logdir Anders Petersson (Feb 21)
- Re: CVE request: nginx world-readable logdir Anders Petersson (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: CVE request: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: nginx world-readable logdir Kurt Seifried (Feb 21)
- Re: nginx world-readable logdir gremlin (Feb 22)
- Re: nginx world-readable logdir Kurt Seifried (Feb 22)
- Re: nginx world-readable logdir Henri Salo (Feb 22)
- Re: nginx world-readable logdir gremlin (Feb 22)
- nginx CVE-2013-0337 world-readable logs gremlin (Feb 23)
- Re: nginx CVE-2013-0337 world-readable logs Kurt Seifried (Feb 24)