Hello, There exists a potentially severe security issue regarding the default permissions that the Endymion web-based email suite uses to create files and directories for internal use. This issue regards files creates by Endymion in the admin specified 'users/' directory, ($mailman::strLocalLocationUsers in mmprool.cgi) I was disturbed to see default permissions of 666 for files, and 777 for directories created by Endymion. I have been able to: 1) read/write/delete arbitrary users' email from an unpriviledged account 2) overwrite/trash arbitrary files owned by uid webmaster. Note that the uid these operations perform as is dependant on which uid decompresses the program, and if the system administrator has taken the time to check permissions of said decompressed files. I do recognize that Endymion warns sysadmins to change the permission values in the script, but of course we know how concerned most sysadmins are with security :) My suggested changes: 1) default file permissions of 0600 2) default directory permissions of 0700 Regards, --jared <rpcat_private> Security Specialist Internet Arena Greets: lesia/unholy/b4b0/hhp
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:16:25 PDT