Re: [cobalt-users] RE: Advisory: Chili!Soft ASP Multiple Vulnerabilities

[baltimoremd@xxxxxxxxxxxxxxx]

On Mon, 26 Feb 2001, GPS wrote:

> Dear Mr Brock,
> 
> I have concerns about the Cobalt install of ChiliSoft on
> Raq3's and Raq4's.

> >2)   Issue:  Chili!Soft ASP sample applications 
> >contain the ability to view the source of 
> >the sample ASP applications.  This "codebrws.asp" 
> >script can be exploited to view any 
> >files on the system where the full path to the file 
> >location is known.

The RaQ3-RaQ4-MySQL 3.22.32-1 doesn't install the samples
in /opt ... and the how to states:

This package assumes no prior installation of MySQL on the
Cobalt RaQ and will install the necessary RPM files.
It will also install Perl DBI and the DBI
MySQL module. If you have made an attempt to install
MySQL by other means, remove all
traces of it before installing this package. This will
not upgrade a prior installation of MySQL

> >BugTraQ Advisory "Chili!Soft ASP 
> >Multiple Vulnerabilities" are directly related to the 
> >ability to reach the /caspsamp virtual 
> >directory.  If one can not view the ASP Sample 
> >applications from the web, one can not 
> >access the configuration and log files from the web.

On the RaQ4, I can't seem to view the sample applications
at 
http://the_ip_number_where_asp_is_installed:5100/caspsamp/

> >	a)  All files in the ASP engines directory 
> >(/opt/casp/asp-apache-3000 by default), 

not installed in /opt/ path

> >than 644.
> >	b)  In the CASP installation root directory 
> >(/opt/casp by default), you can change 
Not installed there

So, since I can't find the files in the locations specified, and I can't
seem to bring them up on the browser....is there really an issue?

Thom
././././././././././././././././././././././././././././././././././././././
baltimoremd@xxxxxxxxxxxxxxx             Thom LaCosta K3HRN Webmaster