[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] RaQ550 information leak

Subject: [cobalt-users] RaQ550 information leak
From: "Rusty Waybrant" <rwaybrant@xxxxxxxxxxxxx>
Date: Mon Sep 29 12:14:00 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Got an interesting call today...

Basically site-adm from siteA logs in and gets a URL similar to this:
http://host.example.net:444/nav/cList.php?root=sitemanageRoot&group=site
1&hostname=host.example.net&goto=base_userList

This site-adm changes the 'siteA' in the URL to say 'siteB', and is then
given the information from siteB without having to auth. as a site-adm
from siteB... 

I tested and can reproduce with any site-adm going to any other vsite.
It appears to be only information leak (User list, web setup, usage
info, etc.), as siteA's admin cannot make changes in siteB. If you do
try to make a change in another vsite, you get Red-! with "Permission
for X is denied." 

Is there a way to stop a site-adm from seeing any vsite other than their
own?

Rusty Waybrant
rwaybrant@xxxxxxxxxxxxx

Prev by Date: RE: [cobalt-users] mnogosearch & php special pkg ?
Next by Date: RE: [cobalt-users] mnogosearch & php special pkg ?
Previous by thread: Re: [cobalt-users] Changed IP's Lost forwarding
Next by thread: RE: [cobalt-users] mrtg for web and email on raq550

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index