[cobalt-users] Broken chroot jail

[SteelHead <brk@xxxxxxxx>]

I fired the message below off to my ISP (not pacbell.net here).  It seems
that there are some difficulties with the SUN 5.x based servers they are
using right now.  I was trying to access my web pages via ftp and discovered
that all 4 of my accounts went directly to /.  No passing go, and lots of
opportunities to make a mess of the servers.  Now, while I had some
interesting priveliges, it was not a go anywhere experience.  I was not
given root, but I did have some admin access.

I am posting this here as a warning. After about 5 hours without a response
to the email, I tried again and found access to be the same, free!  I
finally took heart and gave them a phone call.  15 minutes later FTP access
was shut down.  I don't know how much of a panic I created with my
communication, but I am sure it was less than if a script kiddie had
discovered the same issue.

Remember, security is important, services should be checked daily for proper
function, and if a problem is found, services should be turned off.

SteelHead

***************************************
I just logged on to upload some pics of my boys, and accidentally found that
the chroot jail is broken.  I seem to be able to wander around to many
places I should not be able to.

right now (15:48 PDT, 30 July, 2001) I am connected so you can find me.  My
connection is from
ppp-63-206-167-144.dialup.sktn01.pacbell.net

I hope you can figure out the cause of the breach on your side before it is
crashed by someone with few ethics.

As a coutesy, we are checking the quality of
<</.bigdisk/USR.LOCAL.CYBERCASH/merchants/admin.pw>>

Bill


 The root directory where the CashRegister software is installed.
#   All relative filenames throughout the coin server configuration
#   files (mall- and merchant-level) are relative to SMPS_HOME.
SMPS_HOME = /.bigdisk/USR.LOCAL.CYBERCASH