mushorg / glastopf

Web Application Honeypot
http://glastopf.org
558 stars 169 forks source link

Fingerprinting Glastopf using LFI of /proc #251

Closed glaslos closed 6 years ago

glaslos commented 9 years ago

Quoting an email:

It's based on the fact that the LFI emulation must enable you to get to /proc otherwise it doesn't make sense to serve the other files which are the goal of emulating the LFI vulnerability (etc/passwd and /etc/shadow). From there are multiple ways to understand that it's not a real system (/proc is impossible to simulate). POSSIBLE FIX: the easiest one is to return permission denied on /proc but that might still raise eyebrows.

glaslos commented 6 years ago

This is a won't fix. Please use https://github.com/mushorg/snare if this is a issue for you.