Re: another security hole

To: Grzegorz Stelmaszek <greg@tenet.pl>
Cc: Josip Rodin <jrodin@public.srce.hr>, security@debian.org, debian-devel@lists.debian.org, 39395@bugs.debian.org
Subject: Re: another security hole
From: Josip Rodin <joy@cibalia.gkvk.hr>
Date: Sun, 11 Jul 1999 17:21:02 +0200
Message-id: <[🔎] 19990711172102.A13924@cibalia.gkvk.hr>
In-reply-to: <[🔎] Pine.LNX.4.10.9907111638290.15930-100000@main.tenet.pl>; from Grzegorz Stelmaszek on Sun, Jul 11, 1999 at 04:49:00PM +0200
References: <[🔎] 19990711150602.A13825@jagor.srce.hr> <[🔎] Pine.LNX.4.10.9907111638290.15930-100000@main.tenet.pl>

On Sun, Jul 11, 1999 at 04:49:00PM +0200, Grzegorz Stelmaszek wrote:
> > Although this security issue it is not of extreme importance, yes, it
> > can be harmful, because anyone can see the file listing in directories
> > that the www-data user can read.
>
> What could i say ? ROTFL is the one i could say. Important informations
> for all 'security proffesionals' on that list:
> -> Any information is very improtant for hackerz
> -> The most important is gaining r00t privilages
> -> Then hacker try to gain any account on system in quite short time
> -> Then hacker try to use 'social enginerring' to get any user account
> -> Then hacker try to guess password ;>
> 
> As you could see, the last two steps need LIST OF AVAILABLE USER ACCOUNTS
> on your system.

And this flaw in the CGI script provides that, as a listing of /home
directory (that isn't very reliable, but can get results). I agree that
that is dangerous, but it certainly isn't critical. Don't over-exaggerate.

What you are suggesting could be qualified as providing security through
obscurity, but I personally don't have an opinion on that issue.

> Note bene - AIK debian still uses unpatched version of pine, so there is
> easy way to run any command via it IF you know to whom send an email.

File a bug, if it already isn't reported.

> > And you know, it would be nice if you proposed a fix for the bug.
> > A quick fix would be to remove or chmod -x the script.
>
> Hmmm, or rather you shoud change all `echo $VALUE` to `echo "$VALUE"`, and
> this is real fix. Your proposition is same as `dpkg -r` and imho is not
> fix, but destroy ;>.

So, was it so hard to say what the fix is, instead of bitching how
nobody responded?

> -> hacker starts `lynx victim/cgi-bin/nph-test-cgi?/home/*` so he has list
> of user accounts (impossible ! does the www-data user have access to /home
> ?)

If not set otherwise (by the sysadmin), it is mode 755. So, by default yes.

> -> hacker `lynx victim/cgi-bin/nph-test-cgi?/usr/doc/*` so he has list of
> packages installed

Of course, you knew that he can do that on any Debian system, because all
our HTTP daemons are configured to display /usr/doc when one browses to
http://host/doc/ , because the Policy depends on that. I think only
Apache has been set up to allow this only from localhost.

Anyway, now that we have the solution, maintainer or someone else will
do an upload of the fixed package. No point in any more flames.

-- 
enJoy -*/\*- spelled 'iosip', or simply 'joseph'

Reply to:

Follow-Ups:
- Re: another security hole
  - From: Edward Brocklesby <ejb@incest.dhis.org>

References:
- Re: another security hole
  - From: Josip Rodin <jrodin@public.srce.hr>
- Re: another security hole
  - From: Grzegorz Stelmaszek <greg@tenet.pl>

Prev by Date: Re: another security hole
Next by Date: Re: Intent to package: devfsd
Previous by thread: Re: another security hole
Next by thread: Re: another security hole
Index(es):
- Date
- Thread