[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Re: Security Alert on MIPS based Cobalts

Subject: [cobalt-security] Re: Security Alert on MIPS based Cobalts
From: Rod Todd <rodd_todd_1999@xxxxxxxxx>
Date: Sat, 7 Oct 2000 14:11:09 -0700 (PDT)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

>If you leave port 81 open to the net and use a MIPS
>based Cobalt server, Raq 1 and 2? Qubes etc...
>you may leave yourself open to compromises....

My favorite on the Qubes :
www.domain.com:81/.cobalt/groupList
It shows all the groups and if you click on a group,
it shows you who all the names of members. No wonder
someone told me that he could find out who was on my
machine even if we turned off Finger and Who.  Is
there any way to prevent people from snooping our
users and groups without deleting the page?

>Try this www.yourdomain.com:81./cobalt

We received an error page.

>others are
>shared

When we do this:
http://www.ementor.com:81/.cobalt/shared/

we receive : Index of /.cobalt/shared which shows one
file:
blank.html              

>www.yourdomain.com:81/.cobalt/install

We get a blank page 

www.yourdomain.com:81/cobalt/siteManage

>images

When we do this:

http://www.ementor.com:81/.cobalt/images/


we receive :  Index of /.cobalt/images

all the images shown from the images directory.
>help

http://www.ementor.com:81/.cobalt/help/

shows 3 help files

>error
Shows nothing

>appletData

http://www.ementor.com:81/.cobalt/appletData/

We receive :

webUsage-home.dat file, which shows a bunch of numbers
when opened.

>about

http://www.ementor.com:81/.cobalt/about/

shows a Qube2 banner page

Our Software On The Cobalt Server:
 
Cobalt OS Release 4.0 
Cobalt Qube2 Update Release 1.0 
MFG message patch Release 1.0 
Shell History Patch Release 1.1 

Since our machine will be a stand alone server, is
there anyway to plug up the HTML pages, mabye via TCP
wrappers allowing only a particular IP to access port
:81?

Cheeri'o
..........RT



>You must use the main Domain not a virtual domain on
>a server

>I found it on my Qube 2...Real Cute!!!
>I do not let port 81 to connect outside my LAN.
>so I have access to all the port 81 admin functions




__________________________________________________
Do You Yahoo!?
Yahoo! Photos - 35mm Quality Prints, Now Get 15 Free!
http://photos.yahoo.com/

Follow-Ups:
- Re: [cobalt-security] Re: Security Alert on MIPS based Cobalts
  - From: Malcolm McLeary
- Re: [cobalt-security] Re: Security Alert on MIPS based Cobalts
  - From: Malcolm McLeary

Prev by Date: [cobalt-security] Re: [cobalt-developers] IP Masquerading on RaQ3i
Next by Date: Re: [cobalt-security] Re: Security Alert on MIPS based Cobalts
Previous by thread: [cobalt-security] Re: [cobalt-developers] IP Masquerading on RaQ3i
Next by thread: Re: [cobalt-security] Re: Security Alert on MIPS based Cobalts

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index