OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Cobalt Networks - Security Advisory - Frontpage
From: Jeff Lovell (jlovellCOBALT.COM)
Date: Thu May 25 2000 - 04:17:16 CDT


Cobalt Networks -- Security Advisory -- 5.25.2000

Problem:
With the current installation of Frontpage on RaQ2 and RaQ3, the
ability to write data to other websites hosted on the same RaQ.
This is due to a permissioning issue with the 'httpd' user.

Description:
Thanks to Chris Adams <cmadamshiwaay.net>

Chris Adams wrote:
"There is a security problem with FrontPage extensions on the
Cobalt RaQ2 and RaQ3 web hosting appliances. It allows any
user on the system to change, delete, or overwrite a FrontPage
site."

When a site is uploaded with FP to a RaQ2/3, all of the files
are owned by user "httpd" instead of a site-specific user.
The Apache web server is also running as user "httpd". Cobalt
uses cgiwrap to have CGIs run as the user that owns the CGI
instead of "httpd", but it is trivial to bypass cgiwrap and
run scripts as user "httpd".

Cobalt Networks is dedicated to providing secure platforms.
Accordingly, we have just completed a fix for this bug that
is available in tar.gz format, which can be found at the following
locations:

RaQ 3i (x86)
tar.gz:
ftp://ftp.cobaltnet.com/pub/experimental/secuirty/frontpage/fpx_patch1.tar.gz

RaQ 2 (MIPS)
tar.gz:
ftp://ftp.cobaltnet.com/pub/experimental/secuirty/frontpage/fpx_patch1.tar.gz

MD5 sum Package Name
--------------------------------------------------------------------------
bb690be8a6cbf3d795ad193c4e51cece fpx_patch1.tar.gz

You can verify each rpm using the following command:
md5sum fpx_patch1.tar.gz

The details on installing this package are located at:
ftp://ftp.cobaltnet.com/pub/experimental/secuirty/frontpage/README

The package file format (pkg) for this fix is currently in testing, and
will be available in the very near future.

Jeff Lovell
Cobalt Networks
jlovellcobalt.com