BugTraq: Advisory: Chili!Soft ASP Multiple Vulnerabilities Page 2

Download the authoritative guide: Data Center Guide: Optimizing Your Data Center Strategy

Download the authoritative guide: Cloud Computing: Using the Cloud for Competitive Advantage

    which is probably the only file installed with the correct permissions
    (in this case mode 600).

(3) There are several files installed mode 666 which is a serious no-no as
    some logs and configuration files are affected by this. On my system the
    following files were installed mode 666:


    This may seem bad it gets worse.  Most of the files dealing with
    databases such as global_odbc.ini and odbc.ini are all world-readable and
    thus by default expose passwords administrators may lator install to
    local users.  All configuration files for the server and subsequent other
    services offered Chili!Soft ASP are also world-readable exposing even
    more useful information to local users.


Solution: Remove all references to the sample ASP file in your httpd.conf and
replace the default admin account.  Then change file permissions in /opt/casp
as your system security dictates (in other words figure it out for yourself)

Vendor Status: Vendor was e-mailed these problems on December 30, 2000.

Copyright )2001 Stan Bubrouski

This article was originally published on Feb 21, 2001
Page 2 of 2

Thanks for your registration, follow us on our social networks to keep up-to-date