Plugin ID | 13 |
Plugin name | HTTP /etc/passwd |
Plugin filename | HTTP -etc-passwd.plugin |
Plugin filesize | 2733 bytes |
Plugin family | HTTP |
Plugin created name | Marc Ruef |
Plugin created email | marc dot ruef at computec dot ch |
Plugin created web | http://www.computec.ch |
Plugin created company | computec.ch |
Plugin created date | 2003/11/13 |
Plugin updated name | Marc Ruef |
Plugin updated email | marc dot ruef at computec dot ch |
Plugin updated web | http://www.computec.ch |
Plugin updated company | computec.ch |
Plugin updated date | 2004/11/13 |
Plugin version | 2.0 |
Plugin changelog | Corrected the plugin structure and added the accuracy values in 1.3. Improved the pattern matching and added the changelog in 2.0 |
Plugin protocol | tcp |
Plugin port | 80 |
Plugin procedure detection | open|send GET /etc/passwd HTTP/1.0\n\n|sleep|close|pattern_exists HTTP/#.# ### *root:* |
Plugin detection accuracy | 98 |
Plugin comment | Many administrators create an /etc/passwd to fool attackers. Verify the usefullness of the loadable passwd file. |
Bug affected | Web servers with public /etc/passwd. |
Bug not affected | Web servers without exposed sensitive data. |
Bug vulnerability class | Configuration |
Bug description | A file named /etc/passwd could be detected on the web server. This file may provide sensitive user data. An attacker may use these to start further attacks. |
Bug solution | Do not provide sensitive data unsecured over the world wide web. Delete the file if not needed on this place. If the file should be reached try to realize limited access (htaccess authentication or firewalling). |
Bug fixing time | 15 minutes |
Bug exploit availability | Yes |
Bug remote | Yes |
Bug local | Yes |
Bug severity | Medium |
Bug popularity | 9 |
Bug simplicity | 8 |
Bug impact | 8 |
Bug risk | 8 |
Bug check tools | Most CGI scanners are able to do this check. For example N-Stealth, Whisker and Nikto. |
Source Literature | Hacking Exposed: Network Security Secrets & Solutions, Stuart McClure, Joel Scambray and George Kurtz, February 25, 2003, 4th Edition, McGraw-Hill Osborne Media, ISBN 0072227427 |
Source Misc. | http://www.computec.ch |