which is probably the only file installed with the correct permissions
(in this case mode 600).
(3) There are several files installed mode 666 which is a serious no-no as
some logs and configuration files are affected by this. On my system the
following files were installed mode 666:
/opt/casp/logs/install_summary
/opt/casp/logs/install
/opt/casp/logs/register
/opt/casp/logs/server-3000
/opt/casp/logs/component
/opt/casp/caspsamp/401K/database/QEDBF.INI
/opt/casp/caspsamp/friendship/agent/database/QEDBF.INI
/opt/casp/caspsamp/friendship/client/database/QEDBF.INI
/opt/casp/caspsamp/QEDBF.INI
/opt/casp/chilicom/lib/hkey.current.user
/opt/casp/chilicom/lib/hkey.local.machine
/opt/casp/INSTALL/.webserver-cache
/opt/casp/.installed_db
/opt/casp/admin/conf/hkey.current.user
/opt/casp/admin/conf/hkey.local.machine
/opt/casp/admin/logs/server
This may seem bad it gets worse. Most of the files dealing with
databases such as global_odbc.ini and odbc.ini are all world-readable and
thus by default expose passwords administrators may lator install to
local users. All configuration files for the server and subsequent other
services offered Chili!Soft ASP are also world-readable exposing even
more useful information to local users.
Examples:
http:///caspsamp/codebrws.asp?source=/caspsamp/../admin/conf/service.pwd
http:///caspsamp/codebrws.asp?source=/caspsamp/../global_odbc.ini
http:///caspsamp/codebrws.asp?source=/caspsamp/../admin/logs/server
http:///caspsamp/codebrws.asp?source=/caspsamp/../LICENSE.LIC
http:///caspsamp/codebrws.asp?source=/caspsamp/../logs/server-3000
Solution: Remove all references to the sample ASP file in your httpd.conf and
replace the default admin account. Then change file permissions in /opt/casp
as your system security dictates (in other words figure it out for yourself)
Vendor Status: Vendor was e-mailed these problems on December 30, 2000.
Copyright )2001 Stan Bubrouski