[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] URLs enables anyone to see GUI Account Info

Subject: [cobalt-security] URLs enables anyone to see GUI Account Info
From: Rod Todd <rodd_todd_1999@xxxxxxxxx>
Date: Wed, 20 Sep 2000 16:32:44 -0700 (PDT)

Hello, we found that if anyone typed
www.qube2.com:81/.cobalt/groupList/ , all the current
group names, user names, accounts, and all other user
restricted Cobalt GUI templates HTML can be seen.  For
the list of users, it is .../.cobalt/AddUser/, and so
on for each GUI HTML page.  We did  a Chmod go-rwx to
limit the files to only be rwx by User, but still
anyone from a browser who types in the URLs can see
all the groups and users, and can even attempt to
change the default size of groups, though it does not
actually take effect. Any clues why the Chmod command
is not working (are we doing something wrong?), and is
there any way to patch this up?
Cheers 

__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/

Prev by Date: Re: [cobalt-security] Telnet timeout after login
Next by Date: [cobalt-security] php and raq2
Previous by thread: Re: [cobalt-security] Telnet timeout after login
Next by thread: [cobalt-security] php and raq2

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index