On Wed, 28 Apr 1999, Ian R. Justman wrote: > Showed this to my boss because one of our customers (one whose account we > are currently reviewing) runs this script. > > If this is running under Linux, FreeBSD or any system with a decent shadow > password system or something similar AND a sanely-configured web server, > e.g. with CGIwrap, any internal wrappering which runs scripts as the owner > of the script like any later version of Apache with the integrated setuid > wrapper, or at the very least just outright running scripts as an > arbitrary unprivileged user, there is no problem. You can't read > /etc/shadow|/etc/master.passwd|/etc/whatever if you're not a privileged > user. ;) > > --Ian. Well I never said that /etc/shadow, /etc/passwd etc. etc. were readable. and the stuff you stated above is not the problem here. The software creates the directory with 666 perms. In that directory there is a users.txt and a admin.txt which both contain crypt(3) passwds. Here is one of the simple replies I have recieved. - Date: Mon, 26 Apr 1999 09:32:23 -0400 - From: mwerneburgat_private - To: hhpat_private - Subject: Re: Discus advisory. - - Good post. I'm administering a discus installation and was appalled to - see files like passwd.txt with 666 perms. Thanks for the heads-up! -elaich ----------------------------------------- elaich of the hhp. hhp-1999(c) Email: hhpat_private Web: http://hhp.hemp.net/ Voice: 1-800-Rag-on-gH pin: The-hhp-crew hhp-ms: hhp.hemp.net, port:7777, pass:hhp -----------------------------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:44:29 PDT