(hhp) Discus advisory. (hhp) --------------------------------------------------- Discus (Free discussion for your Web Site!) at http://www.chem.hope.edu/discus/ has a directory and file permission problem. The code is really messy and they need to learn file and permission operations better. The source determines the mode of the directories and files from other sources: Line: 533 in discus3_01/source/src-board-setup which is a totally bad idea being that no matter what, the private files should not be +r... ie, the *.txt's and so on. I contacted the software programmers and hope they recognize this problem being that the files are so open and easy to find with any public search engines. I noticed quite a few servers are using this software and I would guestimate about 80% or more are vulnerable to getting thier userfile cracked and their server rooted. So my suggestion to people using this software is check your modes or either wait for a new release of the software. I did not want to get into making a patch being that they need to totally redo some of their methods. elaich - 2:30:15am CST 4/24/1999 -------------------------------------------- elaich of the hhp. Email: hhp@hhp.hemp.net / pigspigs@yahoo.com Voice: 1800-Rag-on-gH pin: The-hhp-crew Web: http://hhp.hemp.net -------------------------------------------- ------------------------------------------------------- Date: Thu, 29 Apr 1999 19:50:34 -0400 From: Elaich Of Hhp <hhp@NS.SUSPEND.NET> To: BUGTRAQ@netspace.org Subject: Re: Discus advisory. On Wed, 28 Apr 1999, Ian R. Justman wrote: > Showed this to my boss because one of our customers (one whose account we > are currently reviewing) runs this script. > > If this is running under Linux, FreeBSD or any system with a decent shadow > password system or something similar AND a sanely-configured web server, > e.g. with CGIwrap, any internal wrappering which runs scripts as the owner > of the script like any later version of Apache with the integrated setuid > wrapper, or at the very least just outright running scripts as an > arbitrary unprivileged user, there is no problem. You can't read > /etc/shadow|/etc/master.passwd|/etc/whatever if you're not a privileged > user. ;) > > --Ian. Well I never said that /etc/shadow, /etc/passwd etc. etc. were readable. and the stuff you stated above is not the problem here. The software creates the directory with 666 perms. In that directory there is a users.txt and a admin.txt which both contain crypt(3) passwds. Here is one of the simple replies I have recieved. - Date: Mon, 26 Apr 1999 09:32:23 -0400 - From: mwerneburg@stardata.ca - To: hhp@hhp.hemp.net - Subject: Re: Discus advisory. - - Good post. I'm administering a discus installation and was appalled to - see files like passwd.txt with 666 perms. Thanks for the heads-up! -elaich ----------------------------------------- elaich of the hhp. hhp-1999(c) Email: hhp@hemp.net Web: http://hhp.hemp.net/ Voice: 1-800-Rag-on-gH pin: The-hhp-crew hhp-ms: hhp.hemp.net, port:7777, pass:hhp ----------------------------------------- ------------------------------------------------------- Date: Sat, 1 May 1999 11:36:58 -0400 From: Todd C. Campbell <toddc@net-link.net> To: BUGTRAQ@netspace.org Subject: Re: Discus advisory. Elaich Of Hhp wrote: > On Wed, 28 Apr 1999, Ian R. Justman wrote: > > Showed this to my boss because one of our customers (one whose account we > > are currently reviewing) runs this script. > > > > If this is running under Linux, FreeBSD or any system with a decent shadow > > password system or something similar AND a sanely-configured web server, > > e.g. with CGIwrap, any internal wrappering which runs scripts as the owner > > of the script like any later version of Apache with the integrated setuid > > wrapper, or at the very least just outright running scripts as an > > arbitrary unprivileged user, there is no problem. You can't read > > /etc/shadow|/etc/master.passwd|/etc/whatever if you're not a privileged > > user. ;) > > > > --Ian. > > Well I never said that /etc/shadow, /etc/passwd etc. etc. were readable. > and the stuff you stated above is not the problem here. The software > creates the directory with 666 perms. In that directory there is a > users.txt and a admin.txt which both contain crypt(3) passwds. > Where this is true, and it is something that you should be careful of. The admin directory where these files are found is mentioned in the documentation. They do tell you to make sure the directory is not web readable. I took this as a tip off, and made the appropriate changes. I would think any good administrator would have done the same. -Todd