Fwd: [WEB SECURITY] AT&T exposes /etc/passwd , bad php

Matt Parsons mparsons1980 at gmail.com
Tue Jul 28 14:11:37 EDT 2009 

I have used UNIX before.   I also know that if I scanned this application
with a tool like Ounce I would have found the vulnerability before the
public did.  It would have been listed as a directory traversal attack.
	 I misspoke when I said that users should not have access to the
etc/passwd file and that all users need to have read access. But does the
public need to have read access on an external facing website? I believe the
proper way to do it, would be to use the /etc/shadow file and do a redirect
only giving access to root having the password hash replaced with an X that
tells the user to retrieve the corresponding user's password via the
/etc/shadow file.  Am I wrong?    What do you think. 


Matt


Matt Parsons, CISSP
315-559-3588 Blackberry
817-238-3325 Home office 
mparsons1980 at gmail.com
www.parsonsisconsulting.com 



-----Original Message-----
From: security curmudgeon [mailto:jericho at attrition.org] 
Sent: Tuesday, July 28, 2009 12:59 PM
To: Matt Parsons
Subject: Re: Fwd: [WEB SECURITY] AT&T exposes /etc/passwd , bad php


: > From: "Matt Parsons" <mparsons1980 at gmail.com>
: > Date: July 27, 2009 8:03:00 PM EDT
: > To: "'Kevin Stewart'" <kevin.g.stewart at gmail.com>, "'Michael Condon'"
: > <admin at singulartechnologysolutions.com>
: > Cc: "'Shane Forsythe'" <shane.forsythe at fau.edu>,
<websecurity at webappsec.org>
: > Subject: RE: [WEB SECURITY] AT&T exposes /etc/passwd , bad php
: > 
: > I wonder if AT&T did a security review of this application.  If you had
one
: > of the leading vendor tools you could have done a source code analysis
of
: > the code in php and prevent this from happening.   In the future,
companies
: > like AT&T should consider reviewing their PHP code from both a white box
and
: > black box.  At a minimum, I would consider making sure there was proper
: > permissions on that file.   Personally, I would have written the
application
: > in a language that is a bit more secure like .NET or Java.
: > 
: > Matt
: > 
: > 
: > Matt Parsons, CISSP

What permissions would you suggest for /etc/passwd? 

Or more to the point, have you even used Unix before? 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

More information about the websecurity mailing list