[2605] in bugtraq
Re: Security problem in ESRI's ArcDoc 7.0.4
daemon@ATHENA.MIT.EDU (Sven.Wijk)
Fri May 24 13:11:10 1996
Date: Fri, 24 May 1996 11:05:48 +0200
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: "Sven.Wijk" <svenw@sgu.se>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
> *** GIS & ESRI/ARC/Info shops take note! ***
>
> The program "fm_fls" as distributed with ESRI's "ArcDoc" package (7.0.4)
> contains a bug which allows us to (a) add somewhat arbitrary data
> to any file and (b) changes the permissions of that file to rw-rw-rw-.
The program doesn't seem to be there in the version we are running (7.0.2).
Downgrading might be an alternative solution. Please correct me if i'm wrong!
A quick search in the ArcInfo directories showed 4 other programs suid to root.
Do we have a potential for problems?
Our GIS-people earlier looked at ESRI's product ArcStorm. Its client-server
solution is built on:
- a bunch of programs suid to root
- the client must be trusted hosts to the server, by means of the /etc/.rhost
or /etc/host.equiv file.
This made me very uneasy, and i finaly managed to get them to drop their
ArcStorm-dreams, and to search for some more security minded solution.
It seems that security isn't a high priority issue for ESRI's developers.
---
Sven.Wijk@sgu.se
