OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: John Brock (peppertechSUN.COM)
Date: Sat Feb 24 2001 - 11:21:42 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    There have been various issues related to security
    brought to the attention of Chili!Soft.

    While we are working as quickly as possible to
    address the more detailed issues, we
    would like to provide as much information as possible
    on the current status to help
    remove as much exposure as possible in the short
    term. Chili!Soft is dedicated to
    providing a safe, secure environment for both our
    customers and their clients.

    There have been 4 specific issues presented to us.
    We will cover each in their own
    section below.

    1) Issue: Chili!Soft ASP installs a default username
    and password for the ASP Admin
    Console when you choose to install using
    the "default" installation.
            
    Solution: The Admin console username and
    password can be changed by telneting to
    the machine and running the "admtool" utility. You
    must be root to run this utility. Once
    the utility is started, you can list the existing users,
    delete, and/or add additional users.
    It is always strongly advisable to remove any default
    settings as quickly as possible.

    Note: By choosing the "custom" installation method,
    instead of the default, you will be
    prompted for the ASP Admin console username and
    password.

    Software Versions Affected: Linux 3.5.2, AIX 3.6

    2) Issue: Chili!Soft ASP sample applications
    contain the ability to view the source of
    the sample ASP applications. This "codebrws.asp"
    script can be exploited to view any
    files on the system where the full path to the file
    location is known.

    Solution: Disable the sample directories. This can
    be done in different ways, depending
    on your environment.
            a) For Chili!Soft customers on Linux
    environments or using Chili!Soft ASP v3.6
    on AIX, go to the ASP Admin Console, click on the
    ASP Applications link, and remove
    all of the Chili!Soft ASP Applications that are listed.
    These all begin with the prefix
    /caspsamp.
            b) For customers on Solaris, HP, or
    previous AIX environments, telnet to the
    machine and change to the asp engines directory
    (/opt/casp/asp-apache-3000 by
    default). Open the casp.cnfg file and comment out
    the Chili!Soft ASP Sample
    Applications listed at the bottom of the file under the
    [ASP Applications] section. Again,
    these all begin with the prefix /caspsamp.
            c) The ability to view the ASP Sample
    applications is limited to the Root web
    server of a machine. They can not be accessed
    from a virtual host by default. If you
    are running in a shared hosting environment, your
    customers will only have the ability to
    access the /caspsamp virtual directory *if* they are
    connecting to the root web server on
    your machine. Chili!Soft ASP has the ability to
    enable asp support on a per virtual host
    basis when used with Apache web servers. You can
    disable ASP support for the root
    web server. On Linux and AIX v3.6 installations, this
    can be done in the Admin
    Console.

    Note: *All* of the file access issues presented in the
    BugTraQ Advisory "Chili!Soft ASP
    Multiple Vulnerabilities" are directly related to the
    ability to reach the /caspsamp virtual
    directory. If one can not view the ASP Sample
    applications from the web, one can not
    access the configuration and log files from the web.

    Software Versions Affected: All Chili!Soft releases on
    UNIX.

    3) Issue: Chili!Soft ASP installs certain configuration
    files with permission settings that
    allow world-readable access.

    Solution: The removal of access to the ASP
    samples, by performing one of the steps
    listed in Item (2) above, will block the ability for
    anyone to view or modify the ASP
    configuration and log files without having direct
    access to the filesystem. We have also
    determined that a number of the files can safely be
    set to a higher degree of security.
    Below is a list of what can be done at this time.
            a) All files in the ASP engines directory
    (/opt/casp/asp-apache-3000 by default),
    can be set to either 600 or 700 accordingly, EXCEPT
    casp.cnfg and odbc.ini. These
    two files must not be set to any permissions lower
    than 644.
            b) In the CASP installation root directory
    (/opt/casp by default), you can change
    the permissions on the global_odbc.sh file to 600.

            Other specific file permission issues are
    being addressed as quickly as possible
    and will be modified in an upcoming release.
    Changing permissions to these files
    necessitates some changes to our product that must
    be blessed by Quality Assurance
    prior to public release in order to ensure that the
    product will continue to function as
    expected. We are well underway with this cycle and
    will try to post updates as
    appropriate.

    Software Versions Affected: All Chili!Soft releases on
    UNIX (on versions other than
    Linux, filenames and locations may be modified
    somewhat.)

     4) Issue: InheritUser security mode does not
    properly set the Group ID.

    Solution: This must be addressed at the code level
    and thus there is no configuration
    workaround that can be immediately applied. This
    issue is in the process of being
    addressed in the upcoming v3.6 release on Solaris,
    Linux, and HP. We are working to
    have this new release available as quickly as
    possible. We expect to have specific
    dates available in the upcoming week.

    Software Versions Affected: All Linux release.
    Solaris, HP, and AIX *only* when used
    with Apache webserver in multithread mode.

    We appreciate your patience with these issues. We
    also appreciate that your
    comments and findings help improve our product for
    everyone. Please do not hesitate
    to bring up any concerns you may have by contacting
    us at techchilisoft.com.