GoFuckYourself.com - Adult Webmaster Forum - View Single Post - SERIOUS SECURITY HOLE: Anyone who has scripts that use access.log piping MUST READ

ServerGenius · 11-10-2007, 05:03 PM

you can find it in your httpd.conf file and/or apache config files that you use which contain the virtualhost configs

for example
/path/to/apache/config/vhost.conf or vhost.include

on debian this would be /etc/apache2/sites-availabe/filename

or servers that use control panels kinda of software it's usually in

/usr/home/username/conf or /usr/home/username/public_html/config

Example of scripts that use logfile piping are pennywize and/or other scripts
that are supposed to prevent login/password theft/sharing/abuse

But also other monitoring scripts that read data from the webserver logs
by method of logfile piping are vulnerable.....

This concerns both php and perl cgi scripts and there's no patch to prevent
this as of now.....

11-10-2007, 05:03 PM
ServerGenius Confirmed User Join Date: Feb 2002 Location: Amsterdam Posts: 9,377	you can find it in your httpd.conf file and/or apache config files that you use which contain the virtualhost configs for example /path/to/apache/config/vhost.conf or vhost.include on debian this would be /etc/apache2/sites-availabe/filename or servers that use control panels kinda of software it's usually in /usr/home/username/conf or /usr/home/username/public_html/config Example of scripts that use logfile piping are pennywize and/or other scripts that are supposed to prevent login/password theft/sharing/abuse But also other monitoring scripts that read data from the webserver logs by method of logfile piping are vulnerable..... This concerns both php and perl cgi scripts and there's no patch to prevent this as of now..... __________________ \| http://www.sinnerscash.com/ \| ICQ: 370820 \| Skype: SinnersCash \| AdultWhosWho \|