[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] Security issue regarding Sites Backups

Subject: RE: [cobalt-security] Security issue regarding Sites Backups
From: "Chris Burton" <chris@xxxxxxxxxxxxxxxxxx>
Date: Wed, 5 Sep 2001 19:25:07 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> Cobalt Backup is not a utility for moving a site from one box to the 
> other.

My personal gripe with the Cobalt Backup in the GUI is any user with
login or cgi perms can look at the what your password is to the ftp
server, they wait for the backup to be running and then look at the
cmdline in proc.

E.g. 
# I see backup running here (all done as a std user)
32648 pts/1    S      0:04 perl
/usr/admserv/cgi-bin/.cobalt/backup/backup.cgi
# look at the process
cd /proc/32648
cat cmdline

And in that we have a nice line 

perl/usr/admserv/cgi-bin/.cobalt/backup/backup.cgi-bcomplete-tcomplete-p
ftp-rUSER@HOST-s420--passwordPASSWORD

Is there anything that can be done with this ?

Yours,
 Chris Burton

Follow-Ups:
- RE: [cobalt-security] Security issue regarding Sites Backups
  - From: Jeff Lovell

References:
- Re: [cobalt-security] Security issue regarding Sites Backups
  - From: Jeff Lasman

Prev by Date: [cobalt-security] How to install self-signed cert?
Next by Date: Re: [cobalt-security] MySql version for cobalt raQ4r
Previous by thread: Re: [cobalt-security] Security issue regarding Sites Backups
Next by thread: RE: [cobalt-security] Security issue regarding Sites Backups

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index