[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] QuickFIX:CGIWrap Update: Patched RaQ still has issues
- Subject: Re: [cobalt-security] QuickFIX:CGIWrap Update: Patched RaQ still has issues
- From: "K-IM" <k-imaiz@xxxxxxxxxxxxxxxxx>
- Date: Mon, 2 Sep 2002 10:41:10 +0900
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi,Zeffie.
----- Original Message -----
From: "Zeffie" <cobaltlist@xxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Friday, August 30, 2002 9:03 PM
Subject: Re: [cobalt-security] QuickFIX:CGIWrap Update: Patched RaQ still
has issues
| > there are still Cross-Site-Scripting vulnerabilities
| > with latest patched CGI-Wrapper on the RaQs.
| > Atackers can steal session cookies,
| > can display fake information on victim browser.
| > Quick FIX:(My RaQ3)
| > telnet www.domain.jp 23
|
| telnet?
Of course, to use SSH is recommended very strongly.
Thank you for your advice.
|
| > Cobalt Linux release 5.0 (Pacifica)
| > Kernel 2.2.16C28_III on an i586
|
| You haven't done the kernel update from Jan 7 2002
|
Zeffie,do you made reference about the Patche,
RaQ3-ALL-Security-4.0.1-15417.pkg?
I have searched this patche here,
Sun Cobalt Support - Sun Cobalt Product Downloads(Japan)
http://jp.sunsolve.sun.com/patches/cobalt/japan/index.html
This patche is not released in japan, to an unhappy thing.
Luckily, it has noticed,thank you Zeffie.
| <snip>
|
| Delete your files? Is this a another scare sales thing?
--
In Japanese official download site,
<http://jp.sunsolve.sun.com/patches/cobalt/japan/index.html>
there is a CGIWrap Update 4.0.1 PKG,named
RaQ3-All-Security-4.0.1-14985.pkg
released by SUN at 25/07/2002.
(English version is RaQ3-All-Security-4.0.1-14997.pkg,NOT14985.)
Japanese PKG deletes debugging-mode files automatically | by itself.
CERT said me,
Me> Hardlink or symlink nph-cgiwrap, nph-cgiwrapd, cgiwrapd to cgiwrap
Me> in the cgi-bin directory. Then remove nph-cgiwrapd, cgiwrapd.
CERT>This sounds like a fine solution on production systems.
Me> Put access controls on remote execution of scripts via cgiwrapd.
Me> (nph-cgiwrapd, too) Or don't allow cgiwrapd to be run in the
Me> production environment.
CERT>This is another way to disable cgiwrapd, but will probably be less
CERT>reliable than just removing it from production servers.
--
I have another workaround taught from Michael Stauber.(thank you Michael!).
Michael said me,
>But there is an easy way to disable that by adding the following lines to
/etc/httpd/conf/access.conf:
<Location /cgiwrapDir/cgiwrapd>
Order deny,allow
Deny from all
Allow from your_trusted_ip_here
</Location>
<Location /cgiwrapDir/nph-cgiwrapd>
Order deny,allow
Deny from all
Allow from your_trusted_ip_here
</Location>
--
Thank you, Zeffie.
Thank you, Mstauber.
---------------------------
Katumi Imaizumi
k-imaiz@xxxxxxxxxxxxxxxxx
----------------------------