Hello again, First of all i mast apologiz for the corrupt date of my last post. now: Rob Gilde wrote: .| .| Guy is discussing an issue that affects older versions of BIG/ip. .| As he points out, the risk is from internal users. In older versions .| of BIG/ip, there is effectively only one user and that user has root .| privileges. That user could execute commands as root through a shell .| escape in our web-based user interface. .| .| As of Version 2.1, this is no longer possible. The current version .| of BIG/ip is 2.1.2. The software update is available for free over .| the net to all customers with support contracts. .| unfortunately This effects version 2.1.2 too. I have added (using the html interface) user with READ-ONLY access, logged in as this user and by executing 'bigconf.cgi?command=view_textfile&file=/etc/master.passwd&filters=;' I was able to see the the encrypted passwords in /etc/master.passwd witch is for root eyes only. -- Guy Cohen.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:10:57 PDT