[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] CGIWrap Update: Patched RaQ still has issues

Subject: [cobalt-security] CGIWrap Update: Patched RaQ still has issues
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Thu, 29 Aug 2002 02:58:25 +0200
Organization: SOLARSPEED.NET
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi all,

Katsumi Imaizumi (k-imaiz _at_ silverhotel.co.jp) just let me know that there 
are still issues with CGI-Wrapper on the RaQs. He also reported it to CERT 
and Sun.

Change the domain and the username below to one of your RaQs and see yourself:

http://www.victim.org/cgiwrapDir/cgiwrapd/~someone/<html><s>TEST</s>

Reveals UID, GID of "someone", his home directory and some other errands.

All by itself it isn't that big of a deal, but I could imagine a few scenarios 
where this information might aid in an exploitation.

-- 

With best regards,

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer

Follow-Ups:
- Re: [cobalt-security] CGIWrap Update: Patched RaQ still has issues
  - From: Dan Keller

Prev by Date: [cobalt-security] sendmail
Next by Date: Re: [cobalt-security] CGIWrap Update: Patched RaQ still has issues
Previous by thread: Re: [cobalt-security] Re: [cobalt-announce] <<< Software Remove Notification For SunCobalt RaQ 4 >>>
Next by thread: Re: [cobalt-security] CGIWrap Update: Patched RaQ still has issues

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index