[14677] in bugtraq
Re: ISS Security Advisory: Backdoor Password in Red Hat Linux
daemon@ATHENA.MIT.EDU (Cristian Gafton)
Wed Apr 26 03:34:55 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0004251816360.16781-100000@alien.devel.redhat.com>
Date: Tue, 25 Apr 2000 18:29:54 -0400
Reply-To: Cristian Gafton <gafton@REDHAT.COM>
From: Cristian Gafton <gafton@REDHAT.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000425102126.A19615@underground.org>
On Tue, 25 Apr 2000, Aleph One wrote:
> Backdoor Password in Red Hat Linux Virtual Server Package
As probably it is clear by now, this is not a backdoor. The advisory
refers to the *default password* for a service and by any common sense
standards this does not fit the definition of a backdoor.
> Impact:
>
> With this backdoor password, an attacker could compromise the web server as
> well as deface and destroy the web site.
Now, wait a minute. How flashy can an advisory be made? Granted the
security problem is serious (I do not dispute that), but how does this
implies that one has immediate access to deface a web site?! The web
server runs as nobody, and I have yet to hear of sane installations that
have the .html files owned by nobody.
The remote users can get a shell access on a web server. *That* is the
serious security vulnerability. Whatever the attacker can do from there on
is a matter of the internal security on a web server. But just having this
shell does not guarantee the destruction of a web site, as the ISS
advisory seems to imply.
Cristian
--
----------------------------------------------------------------------
Cristian Gafton -- gafton@redhat.com -- Red Hat, Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"How could this be a problem in a country where we have Intel and
Microsoft?" --Al Gore on Y2K
