[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] Re: Advisory: Chili!Soft ASP Multiple Vulnerabilities

Subject: [cobalt-users] Re: Advisory: Chili!Soft ASP Multiple Vulnerabilities
From: John Brock <john.brock@xxxxxxx>
Date: Fri Mar 2 02:21:12 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Hi Tony,

Thanks for bringing this concern up.

Here are a few pointers.

1)  On a RaQ3 machine, you can use the ASP Admin Console to remove the ASP
Applications.  This is done via the Web and would not require you to telnet
to the machine.

2)  On a RaQ4, we currently do not have a pkg that would disable the ASP
samples.

3)  The ASP Admin Console username and password must be changed via a
telnet connection.  This is not something that can be done via any PKG,
because the PKG's are not interactive.

4)  On all RaQ products,  the default location for Chili!Soft ASP is
"/home/chiliasp/".

5)  On RaQ products, a person cannot use the codebrws exploit to get to any
files above the /home/chiliasp directory.

6)  If you choose to telnet to the RaQ4 machine and make the change to the
"/home/chiliasp/asp-apache-3000/casp.cnfg file (to disable the ASP
Samples), you will not effect any other capabilities of your machine
besides Chili!Soft ASP.  If you would like one of our Support engineers to
perform this fix for you.  Please contact us at tech@xxxxxxxxxxxxx and we
will be more than happy to help you.

I know that doesn't help you for now on the RaQ4 as far as a pkg solution,
but it should help out some for the RaQ3's.

Best regards,

John "JB" Brock
Support Services Manager
Sun Microsystems -- Chili!Soft Office

GPS wrote:

> Dear Mr Brock,
>
> I have concerns about the Cobalt install of ChiliSoft on
> Raq3's and Raq4's. There's no mention in your post below for
> what Sun/Cobalt SERVER APPLIANCE owners are supposed to do.
> Cobalt claims that customers would void their warranty if they
> attempted such fixes as you recommend via telnet. Cobalt only
> advocates installing their PKG format security upgrades through
> the Raq's Web Admin GUI.
>
> In the meantime we've just completely disabled the use of the ChiliSoft
> software and will not recommend any of clients attempt to run it until
> we hear of a patch from Cobalt.
>
> Tony Patti
> Global Profit Solutions
>

References:
- [cobalt-users] RE: Advisory: Chili!Soft ASP Multiple Vulnerabilities
  - From: GPS

Prev by Date: Re: [cobalt-users] Secure Telnet
Next by Date: [cobalt-users] RaQ3-All-Security Release 4.0.1-9353 -- Does not update NAMED??
Previous by thread: Re: [cobalt-users] RE: Advisory: Chili!Soft ASP Multiple Vulnerabilities
Next by thread: [cobalt-users] Re: cobalt-users digest, Vol 1 #2217 - 21 msgs

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index