[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Re: Security Alert on MIPS based Cobalts
- Subject: RE: [cobalt-security] Re: Security Alert on MIPS based Cobalts
- From: "Rob Rosenberger" <junkmail@xxxxxxxxxxx>
- Date: Sun, 8 Oct 2000 12:53:37 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
You also must place an .htaccess in "userList," etc. Or you could just file
a detailed vulnerability report on BugTraq and wait for Cobalt to issue a
security patch...
PS: email a "lists" command to majordomo@xxxxxxxxxxxxxxxx Look at the data
it returns. Think about it from a spammer's perspective. (Edit each
/usr/local/majordomo/lists/xxxx.config by hand if you want security.)
"Enjoy."
Rob
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Malcolm
McLeary
Sent: Sunday, 8 October 2000 3:20 AM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] Re: Security Alert on MIPS based Cobalts
on 8/10/00 10:39 AM, Malcolm McLeary at mmcleary@xxxxxxx wrote:
> This is really bad!
>
> http://www.domain.com:81/.cobalt/groupList/
>
> presents this page without a password prompt, while
>
> http://www.domain.com:81/.cobalt/sysManage/
>
> prompts for a username and password.
>
> There must be a relatively easy fix to this because my Gateway Microserver
> does not have this problem ... it prompts for a password for both of these
> URLs.
>
> Would a .htaccess file restricting access to admin work?
Yep. My Gateway Microserver has a .htaccess file in the groupList directory
where my Qubes don't. Just add a .htaccess file containing the following
and the problem will be resolved.
# Access file for /usr/admserv/html/.cobalt/groupList/ (admin)
order allow,deny
allow from all
require user admin
Authname Server
Authtype Basic
AuthUserFile /etc/htpasswd
AuthGroupFile /etc/htgroup
It would be prudent to check all the other directories in
/usr/admserv/html/.cobalt/ for missing .htaccess files. Unfortunately
creating a .htaccess at the parent level doesn't work as the error directory
needs to have no restrictions.
>From a quick poke around this is a problem on Qube 2700WGs and Qube2s, but
not on Gateway Microservers.
Cheers, Malcolm
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security