Re: Discus advisory.

From: Ian R. Justman (ianjat_private)
Date: Wed Apr 28 1999 - 16:41:15 PDT

Next message: Illuminatus Primus: "Re: Link-layer security flaws"

Previous message: Zhang Qianli: "X-based sniffer-netxmon"
Maybe in reply to: Elaich Of Hhp: "Discus advisory."
Next in thread: Elaich Of Hhp: "Re: Discus advisory."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 23 Apr 1999, Elaich Of Hhp wrote:

>           (hhp) Discus advisory. (hhp)
> ---------------------------------------------------
> 	Discus (Free discussion for your Web Site!)
> at http://www.chem.hope.edu/discus/ has a directory
> and  file  permission  problem.  The code is really
> messy  and  they  need to learn file and permission
> operations  better.  The source determines the mode
> of  the  directories  and files from other sources:
> Line:   533   in  discus3_01/source/src-board-setup
> which  is  a  totally bad idea being that no matter
> what,  the  private  files  should not be +r... ie,
> the  *.txt's  and so on.  I  contacted the software
> programmers  and  hope  they recognize this problem
> being  that  the files are so open and easy to find
> with any public search engines.  I  noticed quite a
> few  servers  are  using  this software and I would
> guestimate  about  80%  or  more are  vulnerable to
> getting  thier  userfile  cracked  and their server
> rooted.
> 	So   my   suggestion  to  people using this
> software  is  check your modes or either wait for a
> new release of the software.  I did not want to get
> into making a patch being that they need to totally
> redo some of their methods.
>
> elaich - 2:30:15am CST 4/24/1999
> --------------------------------------------
> elaich of the hhp.
> Email: hhpat_private / pigspigsat_private
> Voice: 1800-Rag-on-gH pin: The-hhp-crew
> Web: http://hhp.hemp.net
> --------------------------------------------

Showed this to my boss because one of our customers (one whose account we
are currently reviewing) runs this script.

If this is running under Linux, FreeBSD or any system with a decent shadow
password system or something similar AND a sanely-configured web server,
e.g. with CGIwrap, any internal wrappering which runs scripts as the owner
of the script like any later version of Apache with the integrated setuid
wrapper, or at the very least just outright running scripts as an
arbitrary unprivileged user, there is no problem.  You can't read
/etc/shadow|/etc/master.passwd|/etc/whatever if you're not a privileged
user.  ;)

--Ian.

---
Ian R. Justman (ianjat_private)
System Administrator and Postmaster, CalWeb Internet Services, Inc.
Office:  (916) 641-9320
Finger ianjat_private for my public PGP key.

Next message: Illuminatus Primus: "Re: Link-layer security flaws"
Previous message: Zhang Qianli: "X-based sniffer-netxmon"
Maybe in reply to: Elaich Of Hhp: "Discus advisory."
Next in thread: Elaich Of Hhp: "Re: Discus advisory."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:44:17 PDT