3

A logwatch report outputted the following message.

A total of 1 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):

/?_SERVER[DOCUMENT_ROOT]=../../../../../../../../../../../etc/passwd%00 HTTP Response 200

I am aware that this match is based on a predefined list of strings from Logwatch and that it is a possible exploit but I am unsure how to investigate further to be certain it is not one.

  1. Is it enough to just visit this url in the browser and check if there is no private information being outputted or are there other methods/places I need to check?

  2. Does the HTTP response 200 means it reached the /etc/passwd directory?

devunder
  • 450
  • 5
  • 9

1 Answers1

8
  1. Is it enough to just visit this URL in the browser and check if there is no private information being outputted?

For a first level approach, yes. But that doesn't mean there are no other vulnerabilities in the code. Possible approaches would be to run a security scanner that checks for common and known vulnerabilities , a full penetration test or code audit.

  1. Does the HTTP response 200 mean it reached the /etc/passwd file?

No, it does not. It simply shows that the server successfully completed the request, not that it parsed the GET parameters as the attacker hoped. Even a request for static content can be appended with options, which will be simply ignored.

Most internet exposed servers are continuously probed so unless you get unexpected results when repeating such requests there's little of immediate concern.

HBruijn
  • 77,029
  • 24
  • 135
  • 201