Web Server Bug

David Douthitt ssrat at ticon.net
Fri Jun 15 18:52:00 UTC 2007


Ricky Zhou wrote:
> I don't think just showing code/non-sensitive debugging information is a
> huge security problem.  Consider that the code for the accounts system
> is publicly viewable in CVS anyway (hooray for openness):
> http://cvs.fedoraproject.org/viewcvs/fedora-accounts/?root=fedora.
Having the code publically available is one matter.

However, the error showed the following security-related items in any case:

* Python is being used (Risk: a hacker won't try Perl, Ruby, or shell
code...)
* Python v2.4.3 is being used (Risk: no need to guess at which cracks
will work...)
* PostgreSQL is being used (Risk: no need to try mySQL hacks....)
* Directory tree: /srv/web/accounts/ (Risk: no need to search out
location of code...)

Certainly, having the code being open is a risk but a calculated one
which is offset by the benefits.

In security, this is known as an "information leak."  The best thing to
do is *hide* all of this information (which also leads to nicer "error"
pages for the user - no tech info, just a "sorry, nasty error: reported
to sysadmin, thanks." or some such.

-- 
UNIX System Administrator
Linux+, SCSA, RHCE, LPIC-1
HP-UX, Linux, Solaris, FreeBSD
Books: "Advanced System Administration" and "GNU Screen: A Comprehensive Introduction"
http://www.lulu.com/ssrat




More information about the Fedora-infrastructure-list mailing list