Re: [cobalt-security] Security issue regarding Sites Backups

["Davide Crudo" <dcrudo@xxxxxxxxxxxxx>]

...actually the problem came out because I've backupped a web site
and wanted to restore it somewhere else... and the result was that
another one got rewritten...

...so I've figured out that this was a BIG issue...and when restoring
websites... we better know the website number!

Dave.

----- Original Message -----
From: "Ted Behling" <TBehling@xxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Saturday, September 01, 2001 8:36 PM
Subject: Re: [cobalt-security] Security issue regarding Sites Backups


> At 10:28 AM 8/28/01 +0200, Davide Crudo wrote:
> >I'm new to te list, so I have no idea if this has been
> >handled before:
> >
> >I've noticed that it is possible for a user to restore a website
> >wich does not belong to him/her just with his user
> >permissions...
>
> I wondered about this when I first got my RaQ.  I actually started
> analyzing the Perl source code the other day, but didn't get too far into
> it.  Have you actually restored a Web site you didn't own, or is this just
> theoretical?  Maybe I'll reverse-engineer the .raq format (I think it's
> just a tarball, like a .pkg) and see if I can "restore" an arbitrary file
> (/etc/shadow and /etc/passwd, maybe...).
>
> --------------------------------------------------------------------------
> Ted Behling, Web Application Developer - Monarch Information Systems, Inc.
>
> 43 Folly Field Road, Unit 4, Hilton Head Island, SC 29928-5434
> E-mail: mailto:TBehling@xxxxxxxxxxxxx
> Phone/Fax: 1-800-842-7894    Local or Outside the USA: 1-843-842-7894
> Cell Phone (urgent issues): 843-816-7895
> Cell Phone E-mail: mailto:TedPhone@xxxxxxxxxxxxx (116 letter limit)
> Web site: http://www.MonarchIS.net
> --------------------------------------------------------------------------
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>