[Cobalt] Security Advisory - cgiwrap

From: Jeff Bilicki (jeffbat_private)
Date: Tue Nov 09 1999 - 15:09:39 PST

Next message: echo8: "flaw in dmesg under Solaris"

Previous message: Chris Adams: "Re: Security flaw in Cobalt RaQ2 cgiwrap"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Cobalt Networks -- Security Advisory -- 11.09.1999

Problem:
The current version of cgiwrap that runs on RaQ 2 and RaQ 3i, runs under
incorrect effective permissions, which could let a malicious site-admin
view or modify data in another virtual site on the same unit.

Description:
Thanks to Chris Adams <cmadamsat_private>

Chris Adams wrote:
>There is a problem (actually several) with the "cgiwrap" program on
>Cobalt RaQ2 servers.  It is supposed to run CGI programs as the proper
>user instead of "nobody" to make CGIs a little more secure.
[SNIP]
>The bigger problem is that cgiwrap apparently interprets top level
>directories of the site /web directory as users.  So if you have a CGI
>in a directory like /home/sites/site1/web/test/test.cgi and attempt to
>go to it at http://www.site1.com/test/test.cgi AND there is a user on
>the system named "test", cgiwrap thinks it should run the script as user
>"test".  It then actually attempts to run a script in /web directory of
>the user "test".
[SNIP]

Cobalt Networks is dedicated to providing secure platforms.
Accordingly, we have just completed a fix for this bug that is available
in RPM format, which can be found at the following locations:

RaQ 3i (x86)
RPM:
ftp://ftp.cobaltnet.com/pub/experimental/secuirty/rpms/cgiwrap-pacifica-3.6.4.C5.i386.rpm
SRPM:
ftp://ftp.cobaltnet.com/pub/experimental/secuirty/srpms/cgiwrap-pacifica-3.6.4.C5.src.rpm

RaQ 2 (MIPS)
RPM:
ftp://ftp.cobaltnet.com/pub/experimental/secuirty/rpms/cgiwrap-raq2-3.6.4.C5.mips.rpm
SRPM:
ftp://ftp.cobaltnet.com/pub/experimental/secuirty/srpms/cgiwrap-raq2-3.6.4.C5.src.rpm


MD5 sum                          Package Name
--------------------------------------------------------------------------
701b43ba607edee44c684ac2d428e710 cgiwrap-pacifica-3.6.4.C5.i386.rpm
41b7277afefb199c01a212dc86dab05b cgiwrap-pacifica-3.6.4.C5.src.rpm
0484a11647a3700fa0b9afe431c55d19 cgiwrap-raq2-3.6.4.C5.mips.rpm
5f3b483c352d25b3b11d266811e8b933 cgiwrap-raq2-3.6.4.C5.src.rpm

You can verify each rpm using the following command:
rpm --checksig  [package]

To install, use the following command, while logged in as root:
rpm -U [package]

The package file format (pkg) for this fix is currently in testing, and
will be available in the very near future.


Jeff Bilicki
Software Engineer
Cobalt Networks
jeffbat_private

Next message: echo8: "flaw in dmesg under Solaris"
Previous message: Chris Adams: "Re: Security flaw in Cobalt RaQ2 cgiwrap"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:11:01 PDT