[10410] in bugtraq
Re: Discus advisory.
daemon@ATHENA.MIT.EDU (Todd C. Campbell)
Sat May 1 13:41:41 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <372B1F9A.AF4A0D01@net-link.net>
Date: Sat, 1 May 1999 11:36:58 -0400
Reply-To: toddc@net-link.net
From: "Todd C. Campbell" <toddc@NET-LINK.NET>
To: BUGTRAQ@NETSPACE.ORG
Elaich Of Hhp wrote:
> On Wed, 28 Apr 1999, Ian R. Justman wrote:
> > Showed this to my boss because one of our customers (one whose account we
> > are currently reviewing) runs this script.
> >
> > If this is running under Linux, FreeBSD or any system with a decent shadow
> > password system or something similar AND a sanely-configured web server,
> > e.g. with CGIwrap, any internal wrappering which runs scripts as the owner
> > of the script like any later version of Apache with the integrated setuid
> > wrapper, or at the very least just outright running scripts as an
> > arbitrary unprivileged user, there is no problem. You can't read
> > /etc/shadow|/etc/master.passwd|/etc/whatever if you're not a privileged
> > user. ;)
> >
> > --Ian.
>
> Well I never said that /etc/shadow, /etc/passwd etc. etc. were readable.
> and the stuff you stated above is not the problem here. The software
> creates the directory with 666 perms. In that directory there is a
> users.txt and a admin.txt which both contain crypt(3) passwds.
>
Where this is true, and it is something that you should be careful of. The
admin directory where these files are found is mentioned in the documentation.
They do tell you to make sure the directory is not web readable. I took this as
a tip off, and made the appropriate changes. I would think any good
administrator would have done the same.
-Todd
