[13477] in bugtraq
Re: Security Issues with HIGHSPEEDWEB.NET leased servers
daemon@ATHENA.MIT.EDU (Pedro Hugo)
Fri Jan 21 15:50:04 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <LOBBJFLLLJINIEGEDOOOCEDCCBAA.fractalg@highspeedweb.net>
Date: Thu, 20 Jan 2000 23:35:33 -0000
Reply-To: Pedro Hugo <fractalg@HIGHSPEEDWEB.NET>
From: Pedro Hugo <fractalg@HIGHSPEEDWEB.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <006801bf62e7$91d228e0$0100a8c0@PLUTO.NET>
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We at High Speed Hosting consider the post by one Brian Mueller, to
BUGTRAQ , at best to be irresponsible and at worst , downright
dangerous to our network and the thousands of business clients
connected to it .
Since we use bugtraq regularly , and realize its charter and purpose
is an informational exchange and not a �complaint box� , we will not
go any further into the personal side of this post. Instead , here is
a direct reply to any security value that might or might not have been
derived from that post:
First , in response to the statement that Our Security Policy allows
open telnet access to our servers. This is a complete mis-statement
obviously by one who has no idea what he is doing with the
�administration� of his dedicated server. High Speed Hosting turns
over all dedicated server leases with telnet and daemons denied using
TCPWrappers . The specific line in hosts.deny is ALL:ALL .
We then urge the customer connected to our network , who has full root
access to his server , and thus , has full control , to ONLY allow
specific ports that are needed and only by specific IP address . In
fact we urge them to use ONLY a dedicated ip and not open even to a
class c ie: xxx.xxx.xxx.*
Upon investigating this post we logged on to the dedicated server in
question and noticed the customer himself had removed the ALL:ALL in
the hosts.deny file and thus had opened the server to anyone wanting
to acess it. We consider this a severe risk and unacceptable and we
can't be held responsible for that.
In regards to the second portion of the post which complained of a
problem with our Control Panel system�s email management features ,
High Speed Hosting Security Administrators , aware of the possibility
that another customer hosted on the same server could if he wanted ,
divert email from another customer , immediately began a totally new
Webcontrol [tm] System which uses a very different email system ,
including the use of qmail instead of sendmail.
This new WebControl installation/upgrade began 17 days ago and is
progressing nicely and will soon include all Virtual Hosting servers
and Leased Dedicated NetROCK [tm] servers.
One should look before he leaps.
Mr P. Hugo
Director of Security
Genesis II Networks
High Speed Hosting Division
Security Administration Response Team
- - -----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of
Brian
Mueller
Sent: Quinta-feira, 20 de Janeiro de 2000 1:42
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Security Issues with HIGHSPEEDWEB.NET leased servers
Recently I started leased a dedicated server from HIGHSPEEDWEB.NET, it
came
preconfigured (somewhat) and I was told that it would be "secure" for
telnet
(only specifically stated IP address(s) could gain access), etc.
However, I
have found that this is not the case, it seems that they do not place
limiting information in the host.deny file so anyone can still telnet
into
the server.
Also, their mail configuration which allows users to add mail aliases
either
via a web interface or by editing a file called .mailalias in their
home
directories is faulty. Users may place _ANY_ valid local domain into
this
file and forward mail from that domain to their email address. The
system
works by running a cron script once per day and updating the sendmail
virtual user database. The following is an example
person A has a webhosting account on the HIGHSPEEDWEB.NET configured
server,
person B wishes to "steal" email from Person A, they are targeting the
sales@person-a-domain.com as the attacked address and they are going
to have
that forwarded to foo@bar.com, they add the following line to their
.mailalias file
sales@person-a-domain.com foo@bar.com
when the next update occurs any email sent to
sales@person-a-domain.com will
be forwarded to foo@bar.com, this also works with wildcards i..e.
@person-a-domain.com foo@bar.com
would work if your entry is read into the sendmail virtual user
database
before the one that exists in Person A's directory.
I notified HIGHSPEEDWEB.NET of the security issue well over a month
ago and
have not had any response from them regarding a fix. I however did
instate
one of my own my forcing users to call myself to have aliases added
for the
time being.
Brian Mueller
*************************************************
Brian Mueller
President/CEO
CreoTech
"We are the future"
www.creotech.com
bmueller@creotech.com
513.722.8645
*************************************************
- -----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i
iQA/AwUBOIebj7Q4oqT8+RAqEQKAdwCg2yrLlmHjVMZNP+GenlTy3vZHj+0Amwdo
P5HTatZ4DVhrRYwZIbvdIors
=ICrR
- -----END PGP SIGNATURE-----
