[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Second reply Re: [cobalt-users] Telnet Script

Subject: Second reply Re: [cobalt-users] Telnet Script
From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
Date: Sun Aug 11 11:40:01 2002
Organization: nobaloney.net
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

I've installed and tested this script.

Here are a few interesting things I've discovered...

1) It runs as the owner of the script, which should be the siteadmin
user.

2) It sends the password with each command; this was a reasonable
assumption, since html is a stateless protocol, but nevertheless I did
test it.

3) It does NOT seem to store the password in a cookie saved on disk, but
I didn't check this thoroughly.

4) You must set an explicit password which may or may not be your user
password.

5) The su command doesn't work.

6) It has only the rights of the user it runs as; you can see the
contents of /etc/passwd, but not of /etc/shadow.

My guess is that no cobalt-users list is really the right place to
discuss this program; it's proper place should be on a general
web-security list.

What it does is gives knowledgeable users some shell access to your
system even if you've got shell access turned off.

It could be used to read sensitive data on another website served on
your server if that data is not encrypted.

We'll probably publish a whitepaper on it; the whitepaper, if and when
published, will be available on the "http://www.nobaloney.net/"; website.

Should you add to your terms of service a paragraph forbidding tools
that allow shell access through a browser?  I'm not sure; it might just
bring attention to such tools rather than discourage their use.

Should you disable and/or kill this package if and when you find one of
your clients is using it?  Again I'm not going to make a recommendation
except to say that if you do that, then you should have something in
your terms of service to back it up.

I hope I've helped shed at least a bit of light on this somewhat
disturbing program.

Jeff

support wrote:
> 
> We never got an answer from Cobalt on this one, except "interesting".
> Running this script http://www.rohitab.com/cgiscripts/cgitelnet.html  on a
> virtual site, you can walk all the way up the directory to root.  View files
> that you should not see, even if telnet is turned off on the Raq.
> 
> Anyone no a way to stop users from using a script like this?
-- 
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net, P. O. Box 52672, Riverside, CA  92517
voice: +1 909 778-9980  *  fax: +1 909 548-9484

Follow-Ups:
- Re: Second reply Re: [cobalt-users] Telnet Script
  - From: support

References:
- [cobalt-users] Telnet Script
  - From: support

Prev by Date: [cobalt-users] SHP - Package, manual available?
Next by Date: [cobalt-users] RE: cobalt-users digest, Vol 1 #4830 - 8 msgs
Previous by thread: Re: [cobalt-users] Telnet Script
Next by thread: Re: Second reply Re: [cobalt-users] Telnet Script

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index