[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-developers] RE: Chiliasp Security Temp Fixes

Subject: [cobalt-developers] RE: Chiliasp Security Temp Fixes
From: "Kal Amry" <kamry1888@xxxxxxxxx>
Date: Tue Feb 27 18:12:05 2001
List-id: Discussion Forum for developers on Cobalt Networks products <cobalt-developers.list.cobalt.com>

-----Original Message-----
From: newsletter [mailto:newsletter@xxxxxxxxxxxxx]
Sent: Tuesday, February 27, 2001 8:42 PM
To: 'Kal Amry'
Subject: Chili!Soft ASP Security Bulletin

Chili!Soft has recently become aware of some issues related to Chili!Soft
ASP security. Permanent resolutions for these issues will soon be released
in a software update, but until then, we would like to provide as much
information as possible to immediately help remove possibilities of
exposure.
There are four specific issues:

1)  Issue:  Chili!Soft ASP installs a default username and password for the
ASP Admin Console when you choose to install using the "default"
installation.

Workaround:  The Admin console username and password can be changed by
telneting to the machine and running the "admtool" utility.  You must be
root to run this utility.   The utility can be found in the Chili!Soft ASP
installation directory. Once the utility is started, you can list the
existing users, delete, and/or add additional users.  It is always strongly
advisable to remove any default settings as quickly as possible.

Note:  By choosing the "custom" installation method, instead of the default,
you will be prompted for the ASP Admin console username and password.

Software Versions Affected:  Chili!Soft ASP version 3.5.2 for Linux
(including Cobalt RaQ3 and RaQ4), Chili!Soft ASP version 3.6 for AIX

2)   Issue:  Chili!Soft ASP sample applications contain the ability to view
the source of the sample ASP applications.  This "codebrws.asp" script can
be exploited to view any files on the system where the full path to the file
location is known.

Workaround:  Disable the sample directories.  This can be done in different
ways, depending on your environment:

a)  For Chili!Soft customers on Linux environments (including Cobalt RaQ3)
or using Chili!Soft ASP v3.6 on AIX, go to the ASP Admin Console, click on
the ASP Applications link, and remove all of the Chili!Soft ASP Applications
that are listed.  These all begin with the prefix /caspsamp.

b)  For customers on Cobalt RaQ4, Solaris, HP, or previous AIX environments,
telnet to the machine and change to the asp engines directory
(/opt/casp/asp-apache-3000 by default, or /home/chiliasp/asp-apache-3000 for
RaQ4).  Open the casp.cnfg file and comment out the Chili!Soft ASP Sample
Applications listed at the bottom of the file under the [ASP Applications]
section.  Again, these all begin with the prefix /caspsamp.

c)The ability to view the ASP Sample applications is limited to the Root web
server of a machine.  They can not be accessed from a virtual host by
default.  If you are running in a shared hosting environment, your customers
will only have the ability to access the /caspsamp virtual directory *if*
they are connecting to the root web server on your machine.  Chili!Soft ASP
has the ability to enable asp support on a per virtual host basis when used
with Apache web servers.  You can disable ASP support for the root web
server.  On Linux and AIX v3.6 installations, this can be done in the Admin
Console.

Software Versions Affected:  All Chili!Soft releases on UNIX and Linux.

3)  Issue:  Chili!Soft ASP installs certain configuration files with
permission settings that allow world-readable access.

Workaround:  The removal of access to the ASP samples, by performing one of
the steps listed in Item (2) above, will block the ability for anyone to
view or modify the ASP configuration and log files without having direct
access to the filesystem.  We have also determined that a number of the
files can safely be set to a higher degree of security.  Below is a list of
what can be done at this time.

a)  All files in the ASP engines directory (/opt/casp/asp-apache-3000 by
default), can be set to either 600 or 700 accordingly, EXCEPT casp.cnfg and
odbc.ini.  These two files must not be set to any permissions lower than
644.

b)  In the CASP installation root directory (/opt/casp by default), you can
change the permissions on the global_odbc.sh file to 600.

Software Versions Affected:  All Chili!Soft releases on UNIX and Linux (on
versions other than Linux, filenames and locations may be different.)

4)  Issue:  InheritUser security mode does not properly set the Group ID.

Workaround:  There is no configuration workaround that can be immediately
applied.  A software update will be made available to resolve this problem.

Software Versions Affected:  All Linux releases.  Solaris, HP, and AIX
*only* when used with Apache Web server in multithread mode.

We appreciate your patience with these issues.  If you have any questions or
concerns, please do not hesitate to contact us at tech@xxxxxxxxxxxxxx The
latest information on security issues can always be found at
http://www.chilisoft.com/security.

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Follow-Ups:
- Re: [cobalt-developers] RE: Chiliasp Security Temp Fixes
  - From: William L. Thomson Jr.

References:
- [cobalt-developers] .forward
  - From: Richard Badua

Prev by Date: [cobalt-developers] Recompiling Apache... Raq3
Next by Date: RE: SV: [cobalt-developers] DNS / email problem
Previous by thread: [cobalt-developers] .forward
Next by thread: Re: [cobalt-developers] RE: Chiliasp Security Temp Fixes

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index