|
Bugtraq
mailing list archives
Re: ISS Security Advisory: Backdoor Password in Red Hat Linux Virtual Server Package
From: gafton () REDHAT COM (Cristian Gafton)
Date: Tue, 25 Apr 2000 18:29:54 -0400
On Tue, 25 Apr 2000, Aleph One wrote:
Backdoor Password in Red Hat Linux Virtual Server Package
As probably it is clear by now, this is not a backdoor. The advisory
refers to the *default password* for a service and by any common sense
standards this does not fit the definition of a backdoor.
Impact:
With this backdoor password, an attacker could compromise the web server as
well as deface and destroy the web site.
Now, wait a minute. How flashy can an advisory be made? Granted the
security problem is serious (I do not dispute that), but how does this
implies that one has immediate access to deface a web site?! The web
server runs as nobody, and I have yet to hear of sane installations that
have the .html files owned by nobody.
The remote users can get a shell access on a web server. *That* is the
serious security vulnerability. Whatever the attacker can do from there on
is a matter of the internal security on a web server. But just having this
shell does not guarantee the destruction of a web site, as the ISS
advisory seems to imply.
Cristian
--
----------------------------------------------------------------------
Cristian Gafton -- gafton () redhat com -- Red Hat, Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"How could this be a problem in a country where we have Intel and
Microsoft?" --Al Gore on Y2K
 By Date 
By Thread
Current thread:
ISS Security Advisory: Backdoor Password in Red Hat Linux Virtual Server Package Aleph One (Apr 25)
- Re: ISS Security Advisory: Backdoor Password in Red Hat Linux Virtual Server Package Cristian Gafton (Apr 25)
| 
Intro
