On Tue, Dec 21, 2004 at 09:41:35PM +0000, Jan Minar wrote: > Package: apache > Version: 1.3.33-2 > Severity: minor > Tags: security > > Hi. > > /var/log/apache is world-readable, so users can e.g. check whether > certain operation triggered an error. And given that the error strings > are pretty standardized, they can guess what string has been added to > the logfile, judging by the number of bytes that was appended to the > log. > > As this is not very obvious to the system administrator, and as there is > no use of /var/log/apache directory being readable and searchable while > the files in it are not, apart from the information disclosure described > above, I think it should be chmod-ed 750, just as the logs in it are > chmod 640.
I don't see a scenario where this could result in a meaningful security issue. The user can just as easily find out that an error was caused by noticing the 5xx error returned by the server in response to the request. -- - mdz
