[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Second reply Re: [cobalt-users] Telnet Script
- Subject: Re: Second reply Re: [cobalt-users] Telnet Script
- From: support <support@xxxxxxxxxxxxx>
- Date: Sun Aug 11 15:33:00 2002
- Organization: VFastlink.com
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Thanks Jeff. Our test results were similar. Although the user couldn't
edit or delete data that did not belong to him, he could read it. This made
it quite a security risk. The website that publishes it also has decryption
software to help the knowledgable user to decode password files. We found
this script in a fraudulant user's cgi-bin. We mentioned it here because we
received no response through other channels. We were just hoping that
someone (Cobalt) had a security fix. We haven't studied the wrapper that
comes with the unit, but it would seem that the default cgi wrapper would
prevent this.
----- Original Message -----
From: "Jeff Lasman" <jblists@xxxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Sunday, August 11, 2002 1:39 PM
Subject: Second reply Re: [cobalt-users] Telnet Script
> I've installed and tested this script.
>
> Here are a few interesting things I've discovered...
>
> 1) It runs as the owner of the script, which should be the siteadmin
> user.
>
> 2) It sends the password with each command; this was a reasonable
> assumption, since html is a stateless protocol, but nevertheless I did
> test it.
>
> 3) It does NOT seem to store the password in a cookie saved on disk, but
> I didn't check this thoroughly.
>
> 4) You must set an explicit password which may or may not be your user
> password.
>
> 5) The su command doesn't work.
>
> 6) It has only the rights of the user it runs as; you can see the
> contents of /etc/passwd, but not of /etc/shadow.
>
> My guess is that no cobalt-users list is really the right place to
> discuss this program; it's proper place should be on a general
> web-security list.
>
> What it does is gives knowledgeable users some shell access to your
> system even if you've got shell access turned off.
>
> It could be used to read sensitive data on another website served on
> your server if that data is not encrypted.
>
> We'll probably publish a whitepaper on it; the whitepaper, if and when
> published, will be available on the "http://www.nobaloney.net/"; website.
>
> Should you add to your terms of service a paragraph forbidding tools
> that allow shell access through a browser? I'm not sure; it might just
> bring attention to such tools rather than discourage their use.
>
> Should you disable and/or kill this package if and when you find one of
> your clients is using it? Again I'm not going to make a recommendation
> except to say that if you do that, then you should have something in
> your terms of service to back it up.
>
> I hope I've helped shed at least a bit of light on this somewhat
> disturbing program.
>
> Jeff
>
> support wrote:
> >
> > We never got an answer from Cobalt on this one, except "interesting".
> > Running this script http://www.rohitab.com/cgiscripts/cgitelnet.html on
a
> > virtual site, you can walk all the way up the directory to root. View
files
> > that you should not see, even if telnet is turned off on the Raq.
> >
> > Anyone no a way to stop users from using a script like this?
> --
> Jeff Lasman <jblists@xxxxxxxxxxxxx>
> Linux and Cobalt/Sun/RaQ Consulting
> nobaloney.net, P. O. Box 52672, Riverside, CA 92517
> voice: +1 909 778-9980 * fax: +1 909 548-9484
>
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>