[10381] in bugtraq
Re: Discus advisory.
daemon@ATHENA.MIT.EDU (Ian R. Justman)
Thu Apr 29 14:52:04 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.4.05.9904281634510.87084-100000@staff.calweb.com>
Date: Wed, 28 Apr 1999 16:41:15 -0700
Reply-To: "Ian R. Justman" <ianj@CALWEB.COM>
From: "Ian R. Justman" <ianj@CALWEB.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.10.9904231317160.5052-100000@ns.suspend.net>
On Fri, 23 Apr 1999, Elaich Of Hhp wrote:
> (hhp) Discus advisory. (hhp)
> ---------------------------------------------------
> Discus (Free discussion for your Web Site!)
> at http://www.chem.hope.edu/discus/ has a directory
> and file permission problem. The code is really
> messy and they need to learn file and permission
> operations better. The source determines the mode
> of the directories and files from other sources:
> Line: 533 in discus3_01/source/src-board-setup
> which is a totally bad idea being that no matter
> what, the private files should not be +r... ie,
> the *.txt's and so on. I contacted the software
> programmers and hope they recognize this problem
> being that the files are so open and easy to find
> with any public search engines. I noticed quite a
> few servers are using this software and I would
> guestimate about 80% or more are vulnerable to
> getting thier userfile cracked and their server
> rooted.
> So my suggestion to people using this
> software is check your modes or either wait for a
> new release of the software. I did not want to get
> into making a patch being that they need to totally
> redo some of their methods.
>
> elaich - 2:30:15am CST 4/24/1999
> --------------------------------------------
> elaich of the hhp.
> Email: hhp@hhp.hemp.net / pigspigs@yahoo.com
> Voice: 1800-Rag-on-gH pin: The-hhp-crew
> Web: http://hhp.hemp.net
> --------------------------------------------
Showed this to my boss because one of our customers (one whose account we
are currently reviewing) runs this script.
If this is running under Linux, FreeBSD or any system with a decent shadow
password system or something similar AND a sanely-configured web server,
e.g. with CGIwrap, any internal wrappering which runs scripts as the owner
of the script like any later version of Apache with the integrated setuid
wrapper, or at the very least just outright running scripts as an
arbitrary unprivileged user, there is no problem. You can't read
/etc/shadow|/etc/master.passwd|/etc/whatever if you're not a privileged
user. ;)
--Ian.
---
Ian R. Justman (ianj@calweb.com)
System Administrator and Postmaster, CalWeb Internet Services, Inc.
Office: (916) 641-9320
Finger ianj@calweb.com for my public PGP key.
