[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-developers] [Fwd: [chuck@xxxxxx: Cobalt RaQ2 - a user of mine changed my adminpassword..]]

Subject: Re: [cobalt-developers] [Fwd: [chuck@xxxxxx: Cobalt RaQ2 - a user of mine changed my adminpassword..]]
From: David Sexton <david.sexton@xxxxxxxxxxxx>
Date: Mon Jan 31 08:56:42 2000

Niels Poppe wrote:
> 
> Serious security problem, it seems?

	I have just checked .. and it works on a RaQ2's UI as well!

	Many expletives that wouldn't get through Mimesweeper spring to mind
here. Thankfully I also do not use Cobalt's UI (which was just left
laying dormant .. it's now getting itself disabled).

	Cobalt *have* to do something about this. The problem is that,
although, apache is doing authentication to get access to those HTML
pages, the CGI scripts on the back end are not doing a sanity check to
ensure that the requesting user has the required privilidges. It
*should* be a fairly trivial programming fix to someone who knows the
Cobalt code.

	The other scary thing here is that this is a fairly fundamental
foul-up. Any software making this sort of change should check that the
user has the persmissions to carry out the request itself and not leave
it to another 'layer' to do so (if possible it should also authenticate
the user itself - but this isn't easily done in CGI). If this mistake
has been made here, where else?

> We only use the RaQ hardware, and put a totally different unix
> distribution on it.

	Unfortunately, the RaQ is targetted at a userbase that generally
wouldn't see the need (or even how) to make changes to the underlying
software. 
 
> For those using it as supplied, closing off port 81 from the
> internet seems to be a wise thing ...

	The problem is more serious than that .. you would have to deny
administrative access for all of your (possibly paying) website admins.
If I was on the receiving end of that, it would really get me angry.

	The users are currently in a lose-lose situation.

Regards,

	Dave

-- 
David Sexton

Network Technician
Sapphire Technologies Ltd.
Tel: +44 (0) 1642 702100
Fax: +44 (0) 1642 702119

-----------------------------------------------
Any opinions expressed in this message are those of the individual and not necessarily the company.  This message and any files transmitted with it are confidential and solely for the use of the intended recipient.  If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this message in error and that any use is strictly prohibited.

Sapphire Internet
http://www.sapphire.net

Follow-Ups:
- Re: [cobalt-developers] [Fwd: [chuck@xxxxxx: Cobalt RaQ2 - a user of mine changed my adminpassword..]]
  - From: Jeff Lasman

References:
- [cobalt-developers] [Fwd: [chuck@xxxxxx: Cobalt RaQ2 - a user of mine changed my admin password..]]
  - From: Niels Poppe

Prev by Date: [cobalt-developers] [Fwd: [chuck@xxxxxx: Cobalt RaQ2 - a user of mine changed my admin password..]]
Next by Date: [cobalt-developers] RaQ2 - Alternatives, Secure admin UI, Porting special sauce to Slackware
Previous by thread: [cobalt-developers] [Fwd: [chuck@xxxxxx: Cobalt RaQ2 - a user of mine changed my admin password..]]
Next by thread: Re: [cobalt-developers] [Fwd: [chuck@xxxxxx: Cobalt RaQ2 - a user of mine changed my adminpassword..]]

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index