[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <47fe50604081507592588c641@mail.gmail.com>
From: xillwillx at gmail.com (Ill will)
Subject: ws_ftp.log
hi wlecome to 1998
On Sun, 15 Aug 2004 05:19:02 -0700 (PDT), Gaurang Pandya
<gaubrig@...oo.com> wrote:
> Hi,
>
> WS_FTP is a popular & feature rich ftp client. It
> makes upload/download as easy as drag & drop. But
> mostly peoples using this forget that it creates a log
> file with name ws_ftp.log. This file holds sensitive
> data such as file source/destination and file name,
> date/time of upload etc., People when use this to
> upload files to their website, never know that along
> with other files even ws_ftp.log file also gets
> uploaded to the webserver, making it globally
> accessible.
>
> One can find thousands of ws_ftp.log files with a
> quick google search as follows,
>
> http://www.google.com/search?hl=en&ie=UTF-8&q=inurl%3Aws_ftp.log
>
> now people might use extensive google search to find
> files that have got copied to web server recently with
> following query, which will show you what files
> actually got copied in Auguts 2004, because its likely
> that those files will still be in there in web server.
>
> http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=2004.08+inurl%3Aws_ftp.log+&btnG=Search
>
> An attacker has a look at cached google page (without
> actually hitting the target & leaving traces at
> webserver logs) and quickly finds out some vital
> informations such as,
>
> 1. Exact location of file in web server (i.e.,
> /usr/local/www/test/abc.htm instead of
> www.web.dom/test/abc.htm).
>
> 2. It some times also gives user names(in case where
> web master gives each user a directory to host their
> websites), which later can be used with brute
> force/dictonary attack to gain access to web server.
>
> 3. It makes it easy to find/download vulnerable
> scripts or classes in a website, with again just a
> google search, as given below. Which otherwise can be
> found by viewing source of html file. Which can later
> be use to attack the host.
>
> http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=class+2004.08+inurl%3Aws_ftp.log+
>
> Other than that it also (sometimes) gives internal
> hostname/ip address of webserver.
>
> Recommendation:
> Please remove ws_ftp.log file from website after data
> movement, and webmasters are requested to scan/remove
> such files from webserver (in case files are uploaded
> by some one else). Which can easily be done by a cron
> job.
>
> Special Thanks to:
> Johnny Long (http://johnny.ihackstuff.com) for his
> wonderful work of "The Google Hacker?s Guide
> Understanding and Defending Against
> the Google Hacker"
>
> Thanks & Regards,
>
> Gaurang.
> http://www.geocities.com/gaurangpandya/
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - 50x more storage than other providers!
> http://promotions.yahoo.com/new_mail
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
--
- illwill
http://illmob.org
Powered by blists - more mailing lists