BugTraq: Advisory: Chili!Soft ASP Multiple Vulnerabilities Page 2

    which is probably the only file installed with the correct permissions
    (in this case mode 600).

(3) There are several files installed mode 666 which is a serious no-no as
    some logs and configuration files are affected by this. On my system the
    following files were installed mode 666:

/opt/casp/logs/install_summary
/opt/casp/logs/install
/opt/casp/logs/register
/opt/casp/logs/server-3000
/opt/casp/logs/component
/opt/casp/caspsamp/401K/database/QEDBF.INI
/opt/casp/caspsamp/friendship/agent/database/QEDBF.INI
/opt/casp/caspsamp/friendship/client/database/QEDBF.INI
/opt/casp/caspsamp/QEDBF.INI
/opt/casp/chilicom/lib/hkey.current.user
/opt/casp/chilicom/lib/hkey.local.machine
/opt/casp/INSTALL/.webserver-cache
/opt/casp/.installed_db
/opt/casp/admin/conf/hkey.current.user
/opt/casp/admin/conf/hkey.local.machine
/opt/casp/admin/logs/server

    This may seem bad it gets worse.  Most of the files dealing with
    databases such as global_odbc.ini and odbc.ini are all world-readable and
    thus by default expose passwords administrators may lator install to
    local users.  All configuration files for the server and subsequent other
    services offered Chili!Soft ASP are also world-readable exposing even
    more useful information to local users.

Examples:
http:///caspsamp/codebrws.asp?source=/caspsamp/../admin/conf/service.pwd
http:///caspsamp/codebrws.asp?source=/caspsamp/../global_odbc.ini
http:///caspsamp/codebrws.asp?source=/caspsamp/../admin/logs/server
http:///caspsamp/codebrws.asp?source=/caspsamp/../LICENSE.LIC
http:///caspsamp/codebrws.asp?source=/caspsamp/../logs/server-3000

Solution: Remove all references to the sample ASP file in your httpd.conf and
replace the default admin account.  Then change file permissions in /opt/casp
as your system security dictates (in other words figure it out for yourself)

Vendor Status: Vendor was e-mailed these problems on December 30, 2000.

Copyright )2001 Stan Bubrouski