which is probably the only file installed with the correct permissions (in this case mode 600). (3) There are several files installed mode 666 which is a serious no-no as some logs and configuration files are affected by this. On my system the following files were installed mode 666: /opt/casp/logs/install_summary /opt/casp/logs/install /opt/casp/logs/register /opt/casp/logs/server-3000 /opt/casp/logs/component /opt/casp/caspsamp/401K/database/QEDBF.INI /opt/casp/caspsamp/friendship/agent/database/QEDBF.INI /opt/casp/caspsamp/friendship/client/database/QEDBF.INI /opt/casp/caspsamp/QEDBF.INI /opt/casp/chilicom/lib/hkey.current.user /opt/casp/chilicom/lib/hkey.local.machine /opt/casp/INSTALL/.webserver-cache /opt/casp/.installed_db /opt/casp/admin/conf/hkey.current.user /opt/casp/admin/conf/hkey.local.machine /opt/casp/admin/logs/server This may seem bad it gets worse. Most of the files dealing with databases such as global_odbc.ini and odbc.ini are all world-readable and thus by default expose passwords administrators may lator install to local users. All configuration files for the server and subsequent other services offered Chili!Soft ASP are also world-readable exposing even more useful information to local users. Examples: http:///caspsamp/codebrws.asp?source=/caspsamp/../admin/conf/service.pwd http:///caspsamp/codebrws.asp?source=/caspsamp/../global_odbc.ini http:///caspsamp/codebrws.asp?source=/caspsamp/../admin/logs/server http:///caspsamp/codebrws.asp?source=/caspsamp/../LICENSE.LIC http:///caspsamp/codebrws.asp?source=/caspsamp/../logs/server-3000 Solution: Remove all references to the sample ASP file in your httpd.conf and replace the default admin account. Then change file permissions in /opt/casp as your system security dictates (in other words figure it out for yourself) Vendor Status: Vendor was e-mailed these problems on December 30, 2000. Copyright )2001 Stan Bubrouski