BugTraq: Re: Advisory: Chili!Soft ASP Multiple Vulnerabilities Page 2
a) All files in the ASP engines directory (/opt/casp/asp-apache-3000 by default), can be set to either 600 or 700 accordingly, EXCEPT casp.cnfg and odbc.ini. These two files must not be set to any permissions lower than 644.
b) In the CASP installation root directory (/opt/casp by default), you can change the permissions on the global_odbc.sh file to 600.
Other specific file permission issues are being addressed as quickly as possible and will be modified in an upcoming release. Changing permissions to these files necessitates some changes to our product that must be blessed by Quality Assurance prior to public release in order to ensure that the product will continue to function as expected. We are well underway with this cycle and will try to post updates as appropriate.
Software Versions Affected: All Chili!Soft releases on UNIX (on versions other than Linux, filenames and locations may be modified somewhat.)
4) Issue: InheritUser security mode does not properly set the Group ID.
Solution: This must be addressed at the code level and thus there is no configuration workaround that can be immediately applied. This issue is in the process of being addressed in the upcoming v3.6 release on Solaris, Linux, and HP. We are working to have this new release available as quickly as possible. We expect to have specific dates available in the upcoming week.
Software Versions Affected: All Linux release. Solaris, HP, and AIX *only* when used with Apache webserver in multithread mode.
We appreciate your patience with these issues. We also appreciate that your comments and findings help improve our product for everyone. Please do not hesitate to bring up any concerns you may have by contacting us at firstname.lastname@example.org.