[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Everyone can view all users (RAQ5)

Subject: RE: [cobalt-users] Everyone can view all users (RAQ5)
From: "Bob Noordam" <bno@xxxxxxxxx>
Date: Tue Sep 2 07:14:01 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>


> Onderwerp: [cobalt-users] Everyone can view all users (RAQ5)
>
>
> If you go to this url and log in using a siteadmin username and password,
> you get a list of all users on the Cobalt. Anyone know how to
> secure this ?
>
> http://hostname:444/base/user/userList.php
>
>
> Mvh,
> Regards,
> Eivind Ravndal
> NetPower Int
>


hehe this topic turns up every three months or so, there has been discussion
about here and in the forums on the sun site some times. Someone posted a
php fix a while back on one of the lists

If you are going to search the archives, keyword "userlist.php" is the best
start.

PS. Note that it is "only" viewing, modifying gives errors.




Somone worth contacting, for they sure have a solution:

From: "Anders" <andersb AT blacksun.ca>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Tuesday, May 06, 2003 3:36 AM
Subject: Re: [cobalt-users] userList.php possible exploit

>
> I haven't seen an official response yet, though.
> Solution (security patch) is around 6 lines of code.
> I'll see what I can do, about us releasing a package?
>
> --anders
> BlackSun Inc.
> http://www.blacksun.ca

Follow-Ups:
- Re: [cobalt-users] Everyone can view all users (RAQ5)
  - From: Eivind Ravndal

References:
- [cobalt-users] Everyone can view all users (RAQ5)
  - From: Eivind Ravndal

Prev by Date: Re: [cobalt-users] formail v. formail.pl
Next by Date: RE: [cobalt-users] Raq550 - Need HOW-To on Reverse DNS Settings
Previous by thread: [cobalt-users] Everyone can view all users (RAQ5)
Next by thread: Re: [cobalt-users] Everyone can view all users (RAQ5)

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index