[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Security issue regarding Sites Backups
- Subject: [cobalt-security] Security issue regarding Sites Backups
- From: "Davide Crudo" <dcrudo@xxxxxxxxxxxxx>
- Date: Tue, 28 Aug 2001 10:28:47 +0200
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi,
I'm new to te list, so I have no idea if this has been
handled before:
I've noticed that it is possible for a user to restore a website
wich does not belong to him/her just with his user
permissions...
For instance:
Two racks:
Raq4-1
Raq4-2
Let's say that on the web server on Raq4-1 are running 15 websites and the
user 15 backupped website 1 thru 7 on Raq4-2.
Accessing his user account 15 on Raq4-1 he can actually use the restore file
coming from Raq4-2 to perform a restore on 4-1.... the result would be that
websites 1 thru 7 on raq4-1 would be overwritten.
I think that the problem here is that in the backup file is stored the
complete
path from /home and that the restore is perfomerd by the system with admin
rights...
I wonder if modifying the Backup file... it would be possible to overwrite
even system
files.
Has anyone noticed that?
Thanx,
Dave.