lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: chris at cr-secure.net (ChrisR-)
Subject: Re: ws_ftp.log

Hello,

This is not really anything new, try googling for someones IP address, there is a lot of sensitive information to be found. 
Even better search for a public anonymous proxy IP, some proxy servers keep a public log of who has used them and what sites
they were used to visit. Not so anonymous anymore are they. Google has always been a powerful tool for information gathering
in a variety of creative ways.

ChrisR-
www.cr-secure.net

===========================================================================

     >Hi,

    WS_FTP is a popular & feature rich ftp client. It
    makes upload/download as easy as drag & drop. But
    mostly peoples using this forget that it creates a log
    file with name ws_ftp.log. This file holds sensitive
    data such as file source/destination and file name,
    date/time of upload etc., People when use this to
    upload files to their website, never know that along
    with other files even ws_ftp.log file also gets
    uploaded to the webserver, making it globally
    accessible.

    One can find thousands of ws_ftp.log files with a
    quick google search as follows,

    http://www.google.com/search?hl=en&ie=UTF-8&q=inurl%3Aws_ftp.log
    <http://www.google.com/search?hl=en&ie=UTF-8&q=inurl%3Aws_ftp.log>

    now people might use extensive google search to find
    files that have got copied to web server recently with
    following query, which will show you what files
    actually got copied in Auguts 2004, because its likely
    that those files will still be in there in web server.

    http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=2004.08+inurl%3Aws_ftp.log+&btnG=Search
    <http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=2004.08+inurl%3Aws_ftp.log+&btnG=Search>

    An attacker has a look at cached google page (without
    actually hitting the target & leaving traces at
    webserver logs) and quickly finds out some vital
    informations such as,

    1. Exact location of file in web server (i.e.,
    /usr/local/www/test/abc.htm instead of
    www.web.dom/test/abc.htm).

    2. It some times also gives user names(in case where
    web master gives each user a directory to host their
    websites), which later can be used with brute
    force/dictonary attack to gain access to web server.

    3. It makes it easy to find/download vulnerable
    scripts or classes in a website, with again just a
    google search, as given below. Which otherwise can be
    found by viewing source of html file. Which can later
    be use to attack the host.

    http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=class+2004.08+inurl%3Aws_ftp.log+
    <http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=class+2004.08+inurl%3Aws_ftp.log+>

    Other than that it also (sometimes) gives internal
    hostname/ip address of webserver.

    Recommendation:
    Please remove ws_ftp.log file from website after data
    movement, and webmasters are requested to scan/remove
    such files from webserver (in case files are uploaded
    by some one else). Which can easily be done by a cron
    job.

    Special Thanks to:
    Johnny Long (http://johnny.ihackstuff.com) for his
    wonderful work of "The Google Hacker?s Guide
    Understanding and Defending Against
    the Google Hacker"

    Thanks & Regards,

    Gaurang.
    http://www.geocities.com/gaurangpandya/



    __________________________________
    Do you Yahoo!?
    Yahoo! Mail - 50x more storage than other providers!
    http://promotions.yahoo.com/new_mail


Powered by blists - more mailing lists