[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Weak site user PW

Subject: Re: [cobalt-security] Weak site user PW
From: "Jonathan Michaelson" <michaelsonjd@xxxxxxxxxxx>
Date: Wed, 12 Dec 2001 15:13:42 -0000
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hello Roy,

> I am taking over several web sites, and found that the users for both
sites
> have VERY weak passwords... as in many are 3 digit numeric passwords (they
> use birthdates of mo/yr). Once I finished shuddering at the fact of such a
> weak set of passwords I started thinking.
>
> As long as I dont allow telnet access or site admin status to any of these
> weak users,  would it be safe to add them with the existing passwords? I
> noticed all I can see as a lowly site user is ftp-ing into my own local
web
> space.

Two problems that I can see immediately with this:

1. If they have weak passwords and someone does gain access it does of
course mean that they (the hacker) can then upload/download/deface the data
on the site. If you also have email enabled for that user they can then spam
through that user account, impersonate them through their email address and
retrieve their email. Even without mail enabled they could upload a trivial
CGI script that simply allows them to spam through the server, and not only
that, but reads data on your server that you or your other users may not
have secured with appropriate directory and file permissions.

2. Exploits are often found that require a valid user account to accomplish
the task of obtaining elevated privileges. A recent example is the wu-ftpd
exploit that requires a valid user account initially (I believe that this
could also be anonymous access via ftp too). Once the hacker has gained
access to this "lowly" user account they then have made the step they
require to then implement the exploit to gain elevated (root) privileges adn
they're all over your box. Even if there are no current known exploits with
the packages installed, there could well be one in the (near) future which a
weak password protected account could prove very dangerous.

I'd _give_ them new passwords and tell them what they are before allowing
them to access the server. It might then be prudent to test their passwords
once they inevitably change them using a brute-force tool (of which there
are many) to make sure they haven't simply set them back to something
stupid.

Regards,
Jonathan Michaelson

Community CGI Scripts
http://www.webumake.com

References:
- [cobalt-security] Weak site user PW
  - From: Roy A. Urick

Prev by Date: Re: [cobalt-security] Should I worry
Next by Date: RE: [cobalt-security] Should I worry
Previous by thread: [cobalt-security] Weak site user PW
Next by thread: Re: [cobalt-security] Should I worry - How to block?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index