Server NewsBugTraq: Advisory: Chili!Soft ASP Multiple Vulnerabilities Page 2

BugTraq: Advisory: Chili!Soft ASP Multiple Vulnerabilities Page 2

ServerWatch Staff
By ServerWatch Staff
Server News

ServerWatch content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. 




    which is probably the only file installed with the correct permissions
    (in this case mode 600).

(3) There are several files installed mode 666 which is a serious no-no as
    some logs and configuration files are affected by this. On my system the
    following files were installed mode 666:

/opt/casp/logs/install_summary
/opt/casp/logs/install
/opt/casp/logs/register
/opt/casp/logs/server-3000
/opt/casp/logs/component
/opt/casp/caspsamp/401K/database/QEDBF.INI
/opt/casp/caspsamp/friendship/agent/database/QEDBF.INI
/opt/casp/caspsamp/friendship/client/database/QEDBF.INI
/opt/casp/caspsamp/QEDBF.INI
/opt/casp/chilicom/lib/hkey.current.user
/opt/casp/chilicom/lib/hkey.local.machine
/opt/casp/INSTALL/.webserver-cache
/opt/casp/.installed_db
/opt/casp/admin/conf/hkey.current.user
/opt/casp/admin/conf/hkey.local.machine
/opt/casp/admin/logs/server

    This may seem bad it gets worse.  Most of the files dealing with
    databases such as global_odbc.ini and odbc.ini are all world-readable and
    thus by default expose passwords administrators may lator install to
    local users.  All configuration files for the server and subsequent other
    services offered Chili!Soft ASP are also world-readable exposing even
    more useful information to local users.

Examples:
http:///caspsamp/codebrws.asp?source=/caspsamp/../admin/conf/service.pwd
http:///caspsamp/codebrws.asp?source=/caspsamp/../global_odbc.ini
http:///caspsamp/codebrws.asp?source=/caspsamp/../admin/logs/server
http:///caspsamp/codebrws.asp?source=/caspsamp/../LICENSE.LIC
http:///caspsamp/codebrws.asp?source=/caspsamp/../logs/server-3000

Solution: Remove all references to the sample ASP file in your httpd.conf and
replace the default admin account.  Then change file permissions in /opt/casp
as your system security dictates (in other words figure it out for yourself)

Vendor Status: Vendor was e-mailed these problems on December 30, 2000.

Copyright )2001 Stan Bubrouski

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends & analysis

Latest Posts

Related Stories

ServerWatch is an established resource for technology buyers looking to increase or improve their data center infrastructure. ServerWatch’s reviews, comparisons, tutorials, and guides help readers make informed purchase decisions around the hardware, software, security, management, and monitoring tools they use to innovate for employees and customers.

Advertisers

Advertise with TechnologyAdvice on ServerWatch and our other data and technology-focused platforms.

Advertise with Us

Menu

Our Brands

Property of TechnologyAdvice.
© 2024 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.