[9793] in bugtraq
Re: Cobalt root exploit
daemon@ATHENA.MIT.EDU (John Fraizer)
Fri Feb 26 11:00:55 1999
Date: Fri, 26 Feb 1999 05:27:55 -0500
Reply-To: John Fraizer <John.Fraizer@ENTERZONE.NET>
From: John Fraizer <John.Fraizer@ENTERZONE.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.04.9902251721310.31100-100000@redhat1.mmaero.co m>
I also notified Cobalt of this problem only in 10-98. While it didn't make
it out the pipeline in the form of a patch, our Alpha RaQ2 does have this
taken care of in the form of a modified directory structure.
I have submitted multiple security and cosmetic patches to Cobalt. They
have been very receptive to them and have implemented them into the release
code for both the RaQ1 and RaQ2. All in all, they have been more receptive
than any other vendor I have contacted.
At 05:27 PM 2/25/99 -0500, Jon Lewis wrote:
>I emailed Cobalt about this issue back in 12-98. I had a Qube on eval and
>noticed that the combination of user home directories being within the web
>server's document root dir and the default umask setting making user
>created files world readable meant that I could use a web browser to check
>for .bash_history files in each user's directory...mine of course had one.
>
>I was told by Will DeHaan <will@cobaltnet.com>, that Cobalt really didn't
>intend to have users logging into the Qube for interactive shell sessions,
>but that they still planned to rearrange things such that each user home
>directory would not be in the web server's document root and would instead
>have the equivalent of a public_html dir. This change was to be
>integrated into future software releases.
------------------------------------------------------------------
ML.ORG is gone. Check out http://www.EZ-IP.Net - It's *FREE*
------------------------------------------------------------------
Get your *FREE* Parked Domain account at http://www.EZ-Hosting.Com
------------------------------------------------------------------
John Fraizer | __ _ |
The System Administrator | / / (_)__ __ ____ __ | The choice
mailto:John.Fraizer@EnterZone.Net | / /__/ / _ \/ // /\ \/ / | of a GNU
http://www.EnterZone.Net/ | /____/_/_//_/\_,_/ /_/\_\ | Generation
PGP Key fingerprint = 7DB6 1CA2 DAA6 43DA 3AAF 44CD 258C 3D7E B425 81A8
