[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] bleh!

Subject: Re: [cobalt-security] bleh!
From: Anders <andersb@xxxxxxxxxxx>
Date: Thu, 01 May 2003 09:54:50 +0200
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Jerry Bauer wrote:
> maybe someone already post this, and I missed it.
> When you create an user (no siteadmin) on the 550 and go to the following
> url:
> 
> http://www.mydomain.com:444/base/user/userList.php
> Login with the user's name and password, all the domain-users can be
> edited/deleted now :(

Can they "just" be listed with the edit/delete buttons, or really changed ?
I think the CCE authentication will stop you from actually making changes.

Not to say that Sun shouldn't patch their PHP scripts from viewing them...
(BTW; It goes for all the other listings available too - vsites, swupdate)

--anders

References:
- [cobalt-security] bleh!
  - From: Jerry Bauer

Prev by Date: RE: [cobalt-security] Qubes - hacked
Next by Date: [cobalt-security] List Management Question
Previous by thread: [cobalt-security] bleh!
Next by thread: Re: [cobalt-security] Qubes - hacked

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index