[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] RE: Advisory: Chili!Soft ASP Multiple Vulnerabilities

Subject: [cobalt-users] RE: Advisory: Chili!Soft ASP Multiple Vulnerabilities
From: "GPS" <gps@xxxxxxxxxxxxxx>
Date: Mon Feb 26 15:33:01 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Dear Mr Brock,

I have concerns about the Cobalt install of ChiliSoft on
Raq3's and Raq4's. There's no mention in your post below for
what Sun/Cobalt SERVER APPLIANCE owners are supposed to do.
Cobalt claims that customers would void their warranty if they
attempted such fixes as you recommend via telnet. Cobalt only 
advocates installing their PKG format security upgrades through
the Raq's Web Admin GUI. 

In the meantime we've just completely disabled the use of the ChiliSoft 
software and will not recommend any of clients attempt to run it until
we hear of a patch from Cobalt.


Tony Patti
Global Profit Solutions

>-----Original Message-----
>From: Bugtraq List [mailto:BUGTRAQ@xxxxxxxxxxxxxxxxx]On Behalf Of John
>Brock
>Sent: Saturday, February 24, 2001 11:22 AM
>To: BUGTRAQ@xxxxxxxxxxxxxxxxx
>Subject: Re: Advisory: Chili!Soft ASP Multiple Vulnerabilities
>
>
>There have been various issues related to security 
>brought to the attention of Chili!Soft.
>
>While we are working as quickly as possible to 
>address the more detailed issues, we 
>would like to provide as much information as possible 
>on the current status to help 
>remove as much exposure as possible in the short 
>term.  Chili!Soft is dedicated to 
>providing a safe, secure environment for both our 
>customers and their clients.
>
>There have been 4 specific issues presented to us.  
>We will cover each in their own 
>section below.
>
>1)  Issue:  Chili!Soft ASP installs a default username 
>and password for the ASP Admin 
>Console when you choose to install using 
>the "default" installation.
>	
>Solution:  The Admin console username and 
>password can be changed by telneting to 
>the machine and running the "admtool" utility.  You 
>must be root to run this utility.  Once 
>the utility is started, you can list the existing users, 
>delete, and/or add additional users.  
>It is always strongly advisable to remove any default 
>settings as quickly as possible.
>
>Note:  By choosing the "custom" installation method, 
>instead of the default, you will be 
>prompted for the ASP Admin console username and 
>password.
>
>Software Versions Affected:  Linux 3.5.2, AIX 3.6
>
>2)   Issue:  Chili!Soft ASP sample applications 
>contain the ability to view the source of 
>the sample ASP applications.  This "codebrws.asp" 
>script can be exploited to view any 
>files on the system where the full path to the file 
>location is known.
>
>Solution:  Disable the sample directories.  This can 
>be done in different ways, depending 
>on your environment.
>	a)  For Chili!Soft customers on Linux 
>environments or using Chili!Soft ASP v3.6 
>on AIX, go to the ASP Admin Console, click on the 
>ASP Applications link, and remove 
>all of the Chili!Soft ASP Applications that are listed.  
>These all begin with the prefix 
>/caspsamp.
>	b)  For customers on Solaris, HP, or 
>previous AIX environments, telnet to the 
>machine and change to the asp engines directory 
>(/opt/casp/asp-apache-3000 by 
>default).  Open the casp.cnfg file and comment out 
>the Chili!Soft ASP Sample 
>Applications listed at the bottom of the file under the 
>[ASP Applications] section.  Again, 
>these all begin with the prefix /caspsamp.
>	c)  The ability to view the ASP Sample 
>applications is limited to the Root web 
>server of a machine.  They can not be accessed 
>from a virtual host by default.  If you 
>are running in a shared hosting environment, your 
>customers will only have the ability to 
>access the /caspsamp virtual directory *if* they are 
>connecting to the root web server on 
>your machine.  Chili!Soft ASP has the ability to 
>enable asp support on a per virtual host 
>basis when used with Apache web servers.  You can 
>disable ASP support for the root 
>web server.  On Linux and AIX v3.6 installations, this 
>can be done in the Admin 
>Console.  
>
>Note:  *All* of the file access issues presented in the 
>BugTraQ Advisory "Chili!Soft ASP 
>Multiple Vulnerabilities" are directly related to the 
>ability to reach the /caspsamp virtual 
>directory.  If one can not view the ASP Sample 
>applications from the web, one can not 
>access the configuration and log files from the web.
>
>Software Versions Affected:  All Chili!Soft releases on 
>UNIX.
>
>3)  Issue:  Chili!Soft ASP installs certain configuration 
>files with permission settings that 
>allow world-readable access.
>
>Solution:  The removal of access to the ASP 
>samples, by performing one of the steps 
>listed in Item (2) above, will block the ability for 
>anyone to view or modify the ASP 
>configuration and log files without having direct 
>access to the filesystem.  We have also 
>determined that a number of the files can safely be 
>set to a higher degree of security.  
>Below is a list of what can be done at this time.
>	a)  All files in the ASP engines directory 
>(/opt/casp/asp-apache-3000 by default), 
>can be set to either 600 or 700 accordingly, EXCEPT 
>casp.cnfg and odbc.ini.  These 
>two files must not be set to any permissions lower 
>than 644.
>	b)  In the CASP installation root directory 
>(/opt/casp by default), you can change 
>the permissions on the global_odbc.sh file to 600.
>
>	Other specific file permission issues are 
>being addressed as quickly as possible 
>and will be modified in an upcoming release.  
>Changing permissions to these files 
>necessitates some changes to our product that must 
>be blessed by Quality Assurance 
>prior to public release in order to ensure that the 
>product will continue to function as 
>expected.  We are well underway with this cycle and 
>will try to post updates as 
>appropriate.
>
>Software Versions Affected:  All Chili!Soft releases on 
>UNIX (on versions other than 
>Linux, filenames and locations may be modified 
>somewhat.)
>
> 4)  Issue:  InheritUser security mode does not 
>properly set the Group ID.
>
>Solution:  This must be addressed at the code level 
>and thus there is no configuration 
>workaround that can be immediately applied.  This 
>issue is in the process of being 
>addressed in the upcoming v3.6 release on Solaris, 
>Linux, and HP.  We are working to 
>have this new release available as quickly as 
>possible.  We expect to have specific 
>dates available in the upcoming week.  
>
>Software Versions Affected:  All Linux release.  
>Solaris, HP, and AIX *only* when used 
>with Apache webserver in multithread mode. 
>
>We appreciate your patience with these issues.  We 
>also appreciate that your 
>comments and findings help improve our product for 
>everyone.  Please do not hesitate 
>to bring up any concerns you may have by contacting 
>us at tech@xxxxxxxxxxxxxx 
>

Follow-Ups:
- Re: [cobalt-users] RE: Advisory: Chili!Soft ASP Multiple Vulnerabilities
  - From: baltimoremd
- [cobalt-users] Re: Advisory: Chili!Soft ASP Multiple Vulnerabilities
  - From: John Brock

Prev by Date: [cobalt-users] Suggestion for the List
Next by Date: [cobalt-users] Re: cobalt-users digest, Vol 1 #2217 - 21 msgs
Previous by thread: [cobalt-users] Suggestion for the List
Next by thread: Re: [cobalt-users] RE: Advisory: Chili!Soft ASP Multiple Vulnerabilities

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index