[15122] in bugtraq
Re: Corel Linux Default Install
daemon@ATHENA.MIT.EDU (Vincent Power)
Wed May 31 22:48:15 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0005291520200.4783-100000@servergnome.org>
Date: Mon, 29 May 2000 15:24:06 -0700
Reply-To: Vincent Power <vince@PENGUIN-POWER.COM>
From: Vincent Power <vince@PENGUIN-POWER.COM>
X-To: j nickson <jnickson@TOGETHER.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3.0.3.32.20000529134945.006ba494@pop.together.net>
I also noticed this and told one of their "developers" at their Road show
early last month. They didn't seem to think it was a problem.
It also gets the user to create an account on their machine when doing the
install and doesn't ask for a password. It does put a open a little dialog
box the first (and only the first) time they log in, but most users I know
never read those boxes they just click cancel.
so their is probally alot of corel installs out there that don't have any
passwords set.
The only thing about corel linux is they use /etc/securetty which prvents
root from logging in except on tty1-tty6
--
Vincent Power ........ Senior Systems Administrator
Macdonald Harris & Associates .. http://www.mha.ca/
Contact Info .. http://servergnome.org/contact.html
On Mon, 29 May 2000, j nickson wrote:
> Date: Mon, 29 May 2000 13:49:45 -0400
> From: j nickson <jnickson@TOGETHER.NET>
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Corel Linux Default Install
>
> Upon it's release (April) I ordered the minimum Corel Linux.
>
> It's install is great for Windows users, and if they get theiur hands on it
> they can get to Netscape on the web in 27 minutes.
>
> If they accept the defaults, they also have a blank root password and
> telnet server enabled.
>
> I don't think I have to say much more for this list, but I'll add, and if
> they have DSL, ... It is DDOS tra la, tra la, time.
>
> I don't have the bucks to try their other two CDs but I'd expect the same,
> wouldn't you?
>
> I e.mailed Corel and got no response, that was about a month ago. It is
> time to go public. . .
>
> The thing is it is so totally stupid to have those defaults for an end user
> system. I don't understand how they could have been so far off the mark.
>
> J
> -------------------------------------------------
> James Nickson, j@RoninSG.com voice: 603-256-8055
> modem 603-256-8050 facsimile: (802)258-2444
>
