RE: Arkeia Possible remote root & information leakage

From: Neil Curri (NCurriat_private)
Date: Fri Aug 17 2001 - 08:32:36 PDT

Next message: Alun Jones: "Re: Relaying in MDAEMON."

Previous message: buggzy: "Re: Relaying in MDAEMON."
Maybe in reply to: quentynat_private: "Arkeia Possible remote root & information leakage"
Next in thread: Joe Glass: "Re: Arkeia Possible remote root & information leakage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Because the salt is known and because the max password length is 8
> characters it would not  be beyond the realms of possibility to crack
> the password (effectively a root password) 
> 
It is only an arkeia "root" password. It's not even a real user with a
shell. Make sure your system root password is different from your arkeia
root password.

> once you have access through
> the gui, you have the possibility of running a command from the gui
> before and after the backup job. This command is run as root and can be
> anything. 
> 
	I didn't realize this, but it makes sense. If you install the RPM as
the system root, arkeia processes will be run as root. 

> Use an SSH tunnel (www.ssh.com www.openssh.com)
> 
This article on arkeia's support site explains how to set up an ssh tunnel
through a firewall for arkeia:
http://support.arkeia.com/cgi-bin/arkeia/solution?11=000322-0014&130=0953783
453&14=&2715=&15=&2716=&57=search&58=&2900=JP9cQm9m9p&25=7&3=ssh

Next message: Alun Jones: "Re: Relaying in MDAEMON."
Previous message: buggzy: "Re: Relaying in MDAEMON."
Maybe in reply to: quentynat_private: "Arkeia Possible remote root & information leakage"
Next in thread: Joe Glass: "Re: Arkeia Possible remote root & information leakage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 17 2001 - 08:35:22 PDT