[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] Re: Security Alert on MIPS based Cobalts

Subject: RE: [cobalt-security] Re: Security Alert on MIPS based Cobalts
From: "Rob Rosenberger" <junkmail@xxxxxxxxxxx>
Date: Sun, 8 Oct 2000 12:53:37 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

You also must place an .htaccess in "userList," etc.  Or you could just file
a detailed vulnerability report on BugTraq and wait for Cobalt to issue a
security patch...

PS: email a "lists" command to majordomo@xxxxxxxxxxxxxxxx  Look at the data
it returns.  Think about it from a spammer's perspective.  (Edit each
/usr/local/majordomo/lists/xxxx.config by hand if you want security.)
"Enjoy."

Rob

-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Malcolm
McLeary
Sent: Sunday, 8 October 2000 3:20 AM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] Re: Security Alert on MIPS based Cobalts

on 8/10/00 10:39 AM, Malcolm McLeary at mmcleary@xxxxxxx wrote:

> This is really bad!
>
>   http://www.domain.com:81/.cobalt/groupList/
>
> presents this page without a password prompt, while
>
>   http://www.domain.com:81/.cobalt/sysManage/
>
> prompts for a username and password.
>
> There must be a relatively easy fix to this because my Gateway Microserver
> does not have this problem ... it prompts for a password for both of these
> URLs.
>
> Would a .htaccess file restricting access to admin work?

Yep.  My Gateway Microserver has a .htaccess file in the groupList directory
where my Qubes don't.  Just add a .htaccess file containing the following
and the problem will be resolved.

# Access file for /usr/admserv/html/.cobalt/groupList/ (admin)
order allow,deny
allow from all
require user admin
Authname Server
Authtype Basic
AuthUserFile /etc/htpasswd
AuthGroupFile /etc/htgroup

It would be prudent to check all the other directories in
/usr/admserv/html/.cobalt/ for missing .htaccess files.  Unfortunately
creating a .htaccess at the parent level doesn't work as the error directory
needs to have no restrictions.

>From a quick poke around this is a problem on Qube 2700WGs and Qube2s, but
not on Gateway Microservers.

Cheers,  Malcolm

_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security

Follow-Ups:
- Re: [cobalt-security] Re: Security Alert on MIPS based Cobalts
  - From: Malcolm McLeary

References:
- Re: [cobalt-security] Re: Security Alert on MIPS based Cobalts
  - From: Malcolm McLeary

Prev by Date: Re: [cobalt-security] Re: Security Alert on MIPS based Cobalts
Next by Date: [cobalt-security] Tripwire?
Previous by thread: Re: [cobalt-security] Re: Security Alert on MIPS based Cobalts
Next by thread: Re: [cobalt-security] Re: Security Alert on MIPS based Cobalts

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index