at the time of writing, 5.0p2 is the currently available revision on iplanet's download site. the problem: the standard install of iPlanet Calendar server stores the NAS LDAP admin username and password in plaintext in the world readable file: -rw-r--r-- 1 icsuser icsgroup 37882 Feb 20 10:18 /opt/SUNWics5/cal/bin/config/ics.conf in the fields local.authldapbinddn (username) and local.authldapbindcred (password) this potentially gives all local users full read/write access to the underlying NAS LDAP database (which is normally used for admin facilities such as storing user / group profiles, passwords, ACLs, SSL certificates and/or other sensitive company information), and full administrative control of the local NAS server. this access could in turn lead to compromise of other facilities such as web/e-commerce sites, directories etc. i believe that the default install of the underlying NAS LDAP server and associated administration packages allow remote admin via tcp/ip, so other remote compromises that allow reading of world readable files (or any other disclosures of the above file contents) could lead to full remote read/write access of the NAS LDAP database and full remote administrative control of the server. this was reported to iplanet at the end of february 2001, who requested i submit it to netscape's online bug-tracking system which i did on 3rd march. i have heard nothing from them since. i have not personally investigated or tested any fix for this. enjoy, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adamat_private UNITED KINGDOM PGP key on keyservers
This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 13:16:57 PDT