|
Bugtraq
mailing list archives
Re: piranha default password/exploit
From: cdi () THEWEBMASTERS NET (CDI)
Date: Tue, 25 Apr 2000 18:36:52 -0700
On Mon, 24 Apr 2000, Max Vision wrote:
The first problem is the default account and password that protect the web
directory containing the administrative php3 scripts.
This is, I think, the crux of the problem. "Default passwords" are, by
definition, not passwords. They are crutches used by lazy developers and
are all too often left unchanged by even more lazy administrators.
OK, so they've fixed the poorly thought out system call that led to
this compromise, but I'd suggest a change to the RPM spec file for the
next build. Something like this should work? (Philip?) - force them to set
a password during the installation process...
----------<snip>----------
--- piranha.spec.in.orig Mon Apr 24 00:35:34 2000
+++ piranha.spec.in Tue Apr 25 18:12:55 2000
@@ -115,6 +115,7 @@
%post gui
chown nobody /home/httpd/html/piranha/secure/passwords
+htpasswd /home/httpd/html/piranha/secure/passwords piranha
%changelog
* Sat Apr 23 2000 Philip Copeland <copeland () redhat com>
----------<snip>----------
CDI
____________________________________
The Web Master's Net
http://www.thewebmasters.net/
Today's Excuse:
Sysadmin accidentally destroyed pager with a large hammer.
 By Date 
By Thread
Current thread:
- SECURITY: [RHSA-2000:014-10] Updated piranha packages available, (continued)
|
Intro
