Web Server Bug
Mike McGrath
mmcgrath at redhat.com
Fri Jun 15 21:04:19 UTC 2007
David Douthitt wrote:
> Ricky Zhou wrote:
>
>> I don't think just showing code/non-sensitive debugging information is a
>> huge security problem. Consider that the code for the accounts system
>> is publicly viewable in CVS anyway (hooray for openness):
>> http://cvs.fedoraproject.org/viewcvs/fedora-accounts/?root=fedora.
>>
> Having the code publically available is one matter.
>
> However, the error showed the following security-related items in any case:
>
> * Python is being used (Risk: a hacker won't try Perl, Ruby, or shell
> code...)
> * Python v2.4.3 is being used (Risk: no need to guess at which cracks
> will work...)
> * PostgreSQL is being used (Risk: no need to try mySQL hacks....)
> * Directory tree: /srv/web/accounts/ (Risk: no need to search out
> location of code...)
>
> Certainly, having the code being open is a risk but a calculated one
> which is offset by the benefits.
>
> In security, this is known as an "information leak." The best thing to
> do is *hide* all of this information (which also leads to nicer "error"
> pages for the user - no tech info, just a "sorry, nasty error: reported
> to sysadmin, thanks." or some such.
>
We freely discuss all of the above items. It's a side affect of being
an open organization. Someone might as well just say "hey, I'm looking
at your accounts code and I'm wondering, what version of python are you
using, what version of postgres is on the back end?" Yes, the code dump
is ugly but the accounts system is being completely re-written so all
work to fix the current system has basically been put on hold, though
the complaint you have is a common one.
-Mike
More information about the infrastructure
mailing list