[13464] in bugtraq
Security Issues with HIGHSPEEDWEB.NET leased servers
daemon@ATHENA.MIT.EDU (Brian Mueller)
Thu Jan 20 19:11:46 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <006801bf62e7$91d228e0$0100a8c0@PLUTO.NET>
Date: Wed, 19 Jan 2000 20:42:09 -0500
Reply-To: Brian Mueller <bmueller@CREOTECH.COM>
From: Brian Mueller <bmueller@CREOTECH.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Recently I started leased a dedicated server from HIGHSPEEDWEB.NET, it came
preconfigured (somewhat) and I was told that it would be "secure" for telnet
(only specifically stated IP address(s) could gain access), etc. However, I
have found that this is not the case, it seems that they do not place
limiting information in the host.deny file so anyone can still telnet into
the server.
Also, their mail configuration which allows users to add mail aliases either
via a web interface or by editing a file called .mailalias in their home
directories is faulty. Users may place _ANY_ valid local domain into this
file and forward mail from that domain to their email address. The system
works by running a cron script once per day and updating the sendmail
virtual user database. The following is an example
person A has a webhosting account on the HIGHSPEEDWEB.NET configured server,
person B wishes to "steal" email from Person A, they are targeting the
sales@person-a-domain.com as the attacked address and they are going to have
that forwarded to foo@bar.com, they add the following line to their
.mailalias file
sales@person-a-domain.com foo@bar.com
when the next update occurs any email sent to sales@person-a-domain.com will
be forwarded to foo@bar.com, this also works with wildcards i..e.
@person-a-domain.com foo@bar.com
would work if your entry is read into the sendmail virtual user database
before the one that exists in Person A's directory.
I notified HIGHSPEEDWEB.NET of the security issue well over a month ago and
have not had any response from them regarding a fix. I however did instate
one of my own my forcing users to call myself to have aliases added for the
time being.
Brian Mueller
*************************************************
Brian Mueller
President/CEO
CreoTech
"We are the future"
www.creotech.com
bmueller@creotech.com
513.722.8645
*************************************************
