[15770] in bugtraq
Re: Security Advisory: Netscape Administration Server Password
daemon@ATHENA.MIT.EDU (Peter W)
Thu Jul 13 19:28:16 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0007121327500.6270-100000@localhost>
Date: Wed, 12 Jul 2000 13:48:30 -0400
Reply-To: Peter W <peterw@USA.NET>
From: Peter W <peterw@USA.NET>
X-To: f0bic <kris@securax.org>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <00071122473300.00796@ninja>
At 10:46pm Jul 11, 2000, f0bic wrote:
> The administration server is a web-based server that contains the Java and JavaScript forms you use to configure your
> Netscape SuiteSpot servers. The authentication username and password for this service are kept in a directory in the
> server root, readable by default.
>
> The administration server is installed when you first install SuiteSpot server. For remote logon, it authenticates by
> validating the password prompt input with the administration server password file. This password file is kept in a local
> directory within the SuiteSpot server. The SuiteSpot superuser password file is located at the following path:
> http://www.server.com/admin-serv/config/admpw
You mean file://<installDir>/admin-serv/config/admpw. It would not be
visible via HTTP like that unless you decided to create an httpd instance
with <installDir> as its document root.
For iPlanet Web Server 4.0 and 4.1, try <installDir>/https-admserv/config/
> The admpwd file is in the "user:password" format, with an encrypted password field which can potentially be compromized
> by a brute force attack. This user has full access to all features in the administration server and sees all forms in
> the administration server except the Users & Groups forms since these require in a valid account in an LDAP server such
> as Netscape Directory Server.
This depends on your specific configuration. Note that Netscape has always
recommended that the admin server run as root so it can do things like
start httpd instances (setuid() + binding to low ports like 80 and 443).
Anyone who obtains the Netscape admin password can fairly easily create a
new httpd instance running as root, enable CGI there, and fairly quickly
own the whole server (or at least the chroot() jail if you
bothered/succeeded to chroot Netscape).
> The Netscape-Enterprise manual page on Administration Server specifies that it is recommended that you write-protect the
> admpwd file since this is not done by default.
Write-protect? The config dir on my systems are (were) 0775; admpw, 0644.
Only root can change the file, though even read perms are bad, as you say.
> Solution:
>
> 1. Set write-protect permissions on the admpw file located at <server_root>/admin-serv/config/admpw
On NES 3.6x I've shut down the admin server, chmod'ed the
<installDir>/admin-serv dir to 0700 (I figure others don't need to see the
config files or the admin server logs, for that matter), and restarted the
admin server with no apparent ill effects.
Thanks,
-Peter
--
http://www.bastille-linux.org/ : working towards more secure Linux systems
