Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ISS Security Advisory: Backdoor Password in Red Hat Linux Virtual Server Package

From: gafton () REDHAT COM (Cristian Gafton)
Date: Tue, 25 Apr 2000 18:29:54 -0400

On Tue, 25 Apr 2000, Aleph One wrote:


Backdoor Password in Red Hat Linux Virtual Server Package


As probably it is clear by now, this is not a backdoor. The advisory
refers to the *default password* for a service and by any common sense
standards this does not fit the definition of a backdoor.


Impact:

With this backdoor password, an attacker could compromise the web server as
well as deface and destroy the web site.


Now, wait a minute. How flashy can an advisory be made? Granted the
security problem is serious (I do not dispute that), but how does this
implies that one has immediate access to deface a web site?! The web
server runs as nobody, and I have yet to hear of sane installations that
have the .html files owned by nobody.

The remote users can get a shell access on a web server. *That* is the
serious security vulnerability. Whatever the attacker can do from there on
is a matter of the internal security on a web server. But just having this
shell does not guarantee the destruction of a web site, as the ISS
advisory seems to imply.

Cristian

--
----------------------------------------------------------------------
Cristian Gafton     --     gafton () redhat com      --     Red Hat, Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  "How could this be a problem in a country where we have Intel and
   Microsoft?"  --Al Gore on Y2K
Previous By Date Next
Previous By Thread Next

Current thread: