[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-developers] RE: Chiliasp Security Temp Fixes

That's a great heads up, but I had to also modify my httpd.conf file to disable the chilisoft
samples.

/etc/httpd/conf/httpd.conf

Towards the very bottom, check the virtual site entries.

Sincerely,
William L. Thomson Jr.
Obsidian-Studios Inc.
439 Amber Way
Petaluma, Ca. 94952
Phone/fax 707.766.8989
http://www.obsidian-studios.com


----- Original Message -----
From: "Kal Amry" <kamry1888@xxxxxxxxx>
To: <cobalt-developers@xxxxxxxxxxxxxxx>
Sent: Tuesday, February 27, 2001 6:25 PM
Subject: [cobalt-developers] RE: Chiliasp Security Temp Fixes


>
>
> -----Original Message-----
> From: newsletter [mailto:newsletter@xxxxxxxxxxxxx]
> Sent: Tuesday, February 27, 2001 8:42 PM
> To: 'Kal Amry'
> Subject: Chili!Soft ASP Security Bulletin
>
>
> Chili!Soft has recently become aware of some issues related to Chili!Soft
> ASP security. Permanent resolutions for these issues will soon be released
> in a software update, but until then, we would like to provide as much
> information as possible to immediately help remove possibilities of
> exposure.
> There are four specific issues:
>
> 1)  Issue:  Chili!Soft ASP installs a default username and password for the
> ASP Admin Console when you choose to install using the "default"
> installation.
>
> Workaround:  The Admin console username and password can be changed by
> telneting to the machine and running the "admtool" utility.  You must be
> root to run this utility.   The utility can be found in the Chili!Soft ASP
> installation directory. Once the utility is started, you can list the
> existing users, delete, and/or add additional users.  It is always strongly
> advisable to remove any default settings as quickly as possible.
>
> Note:  By choosing the "custom" installation method, instead of the default,
> you will be prompted for the ASP Admin console username and password.
>
> Software Versions Affected:  Chili!Soft ASP version 3.5.2 for Linux
> (including Cobalt RaQ3 and RaQ4), Chili!Soft ASP version 3.6 for AIX
>
> 2)   Issue:  Chili!Soft ASP sample applications contain the ability to view
> the source of the sample ASP applications.  This "codebrws.asp" script can
> be exploited to view any files on the system where the full path to the file
> location is known.
>
> Workaround:  Disable the sample directories.  This can be done in different
> ways, depending on your environment:
>
> a)  For Chili!Soft customers on Linux environments (including Cobalt RaQ3)
> or using Chili!Soft ASP v3.6 on AIX, go to the ASP Admin Console, click on
> the ASP Applications link, and remove all of the Chili!Soft ASP Applications
> that are listed.  These all begin with the prefix /caspsamp.
>
> b)  For customers on Cobalt RaQ4, Solaris, HP, or previous AIX environments,
> telnet to the machine and change to the asp engines directory
> (/opt/casp/asp-apache-3000 by default, or /home/chiliasp/asp-apache-3000 for
> RaQ4).  Open the casp.cnfg file and comment out the Chili!Soft ASP Sample
> Applications listed at the bottom of the file under the [ASP Applications]
> section.  Again, these all begin with the prefix /caspsamp.
>
> c)The ability to view the ASP Sample applications is limited to the Root web
> server of a machine.  They can not be accessed from a virtual host by
> default.  If you are running in a shared hosting environment, your customers
> will only have the ability to access the /caspsamp virtual directory *if*
> they are connecting to the root web server on your machine.  Chili!Soft ASP
> has the ability to enable asp support on a per virtual host basis when used
> with Apache web servers.  You can disable ASP support for the root web
> server.  On Linux and AIX v3.6 installations, this can be done in the Admin
> Console.
>
> Software Versions Affected:  All Chili!Soft releases on UNIX and Linux.
>
> 3)  Issue:  Chili!Soft ASP installs certain configuration files with
> permission settings that allow world-readable access.
>
> Workaround:  The removal of access to the ASP samples, by performing one of
> the steps listed in Item (2) above, will block the ability for anyone to
> view or modify the ASP configuration and log files without having direct
> access to the filesystem.  We have also determined that a number of the
> files can safely be set to a higher degree of security.  Below is a list of
> what can be done at this time.
>
> a)  All files in the ASP engines directory (/opt/casp/asp-apache-3000 by
> default), can be set to either 600 or 700 accordingly, EXCEPT casp.cnfg and
> odbc.ini.  These two files must not be set to any permissions lower than
> 644.
>
> b)  In the CASP installation root directory (/opt/casp by default), you can
> change the permissions on the global_odbc.sh file to 600.
>
> Software Versions Affected:  All Chili!Soft releases on UNIX and Linux (on
> versions other than Linux, filenames and locations may be different.)
>
> 4)  Issue:  InheritUser security mode does not properly set the Group ID.
>
> Workaround:  There is no configuration workaround that can be immediately
> applied.  A software update will be made available to resolve this problem.
>
> Software Versions Affected:  All Linux releases.  Solaris, HP, and AIX
> *only* when used with Apache Web server in multithread mode.
>
> We appreciate your patience with these issues.  If you have any questions or
> concerns, please do not hesitate to contact us at tech@xxxxxxxxxxxxxx The
> latest information on security issues can always be found at
> http://www.chilisoft.com/security.
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
> _______________________________________________
> cobalt-developers mailing list
> cobalt-developers@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-developers
>