Log Directory and phpinfo()

Background

dadaIMC is content management software for the development of an Independent Media Center site.

Description

Logging information for dadaIMC is stored by default in a directory named /logs/ at the root level of your web site. Because the logs may contain sensitive information, and Apache will serve ".log" files as plain text, this could allow arbitrary users to view your log files.

In addition, legacy installations of dadaIMC contain a phpinfo.php file in the /docs/ directory, which allows a user to view PHP and Apache configuration information that may be used to aid in an attack.

Analysis

Access to logging and configuration information is not necessarily a vulnerability in itself, but the information gleaned from such files may be useful in crafting other forms of attack. In this case, files containing such information may be publicly accessible through a web browser.

Detection

This problem exists in any dadaIMC installation which stores its logs in the default /logs/ directory at the root level of the site, and/or which contain a phpinfo.php file within a web-readable /docs/ directory.

Workaround

it is recommended that you either change the default logging location in the Site Prefs to something outside of the web root, or restrict access to the /logs/ directory using a directive like:

<Directory /logs>
   Order allow,deny
   Deny from all
</Directory>

The phpinfo.php file may be safely deleted from the /docs/ directory will no ill effects.

Timeline

2005-02-20 Discovery reported to IMC-Security list

Credit

alster-AT-indymedia.org provided a list of possible vulnerabilities