Misconfigured Web Servers

David Klur dklur at dttus.com
Wed Dec 27 22:12:55 PST 1995 

     
     Re: the "trick" below... an even more effective search is the 
     following...
     
     http://www.altavista.digital.com/cgi-bin/query?pg=aq&what=web&q=url%3A
     etc%2Fpasswd&r=&d0=&d1=&Submit.x=51&Submit.y=14
     
     which searches all URLs that contain etc/passwd 
     
     See for yourself!
     
     
     David Klur
     
     
_____________________________ Reply Separator _________________________________
Subject: BoS: Misconfigured Web Servers
Author:  nobody at mail.uu.net at Internet-USA
Date:    12/26/95 3:57 PM


     Everyone,
     
     A friend of mine showed me a nasty little "trick" over the weekend. He 
     went to a Web Search server (http://www.altavista.digital.com/) and 
     did a search on the following keywords -
     
             root: 0:0 sync: bin: daemon:
     
     You get the idea. He copied out several encrypted root passwords from 
     passwd files, launched CrackerJack and a 1/2 MB word file and had a 
     root password in under 30 minutes. All without accessing the site's 
     server, just the index on a web search server!
     
     Well, the first thing I did was check my site and it's ok. The second 
     thing I did was check my ISP for my home account, and it's okay. But 
     by trying various combinations of common accounts on web searches, 
     dozens of passwd files were found.
     
     It seems that a large number of locations who use httpd and ftpd on 
     the same server often copy the regular passwd file to ftp/etc or 
     ftp-users/etc for ftp user access. A few sites have left the root 
     password in the file, and many contain user accounts' passwords. The 
     problems I see here are as follows:
     
     1. You can get the passwd file in some cases by simply pointing your 
     URL to http://target.com/ftp/etc/passwd or 
     http://target.com/ftp-users/etc/passwd. Not good. Anon ftp can't get 
     it but a web browser can. Many passwd files are shadowed but you can 
     see some legit account names. Yes, I realize that this may be a dummy 
     file but hey, not always the case.
     
     2. Some sites do not have the passwd file world readable, but the 
     entire passwd file stills exists indexed on the web search server. I 
     don't know about you, but I don't think I'd want my passwd file 
     indexed and searchable on a world accessible web server.
     
     3. A ton of etc/group files turned up as well.
     
     The guy that showed me this found it funny, but I find it disturbing. 
     Are there that many sites that are that poorly configured?
     
     Mark_W_Loveless at smtp.bnr.com

More information about the cypherpunks-legacy mailing list