On Tue, Jan 18, 2000 at 12:21:03AM +0000, foo wrote: > Nortel's new Contivity seris extranet switches > (http://www.nortelnetworks.com/products/01/contivity) give administrators > the ability to enable a small HTTP server and use Nortel's web based > administration utility to handle configuration and maitenance. > The server runs atop the VxWorks operating system and is located in the > directory /system/manage. A CGI application, /system/manage/cgi/cgiproc > that is used to display the administration html pages does not properly > authenticate users prior to processing requests. An intruder can > view any file on the switch without logging in. As a user of the aforementioned product, its important to note that only the management side (read: your internal network) can access the HTTP server of the switch (by default, though I don't even think you can change this.) I'm not downplaying the stupidity of cgiproc, I'm just saying lets not all run and turn our contivity switches off. -- Bill Fumerola - Network Architect Computer Horizons Corp - CVM e-mail: billf@chc-chimes.com / billfat_private Office: 800-252-2421 x128 / Cell: 248-761-7272
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:03 PDT