Posted on 12/13/2002 2:57:00 AM PST by Yeti
Edited on 04/13/2004 3:04:58 AM PDT by Jim Robinson. [history]
Today, Sun and CERT announced that many of Sun's Cobalt RaQ 4 Linux servers can be completely taken over by a local user or via the Internet. Ironically, the vulnerability is only present if the vendor's optional "Security Hardening Package" is installed. The package is quite popular and is installed on a large percentage of these servers.
(Excerpt) Read more at extremetech.com ...
In the early days of CGI, email scripts were poular. On UNIX systems, most of them would write the "mail" command to the system, followed by the email address and the body of the message as input by the remote user.
If the user put a semicolon in the email address field, the system would see everything thereafter as a new command.
Since the CGI script exectues with the server daemon's permission, and since the server daemon has root permision, the net effect was to give away root access to the world via the email script.
Could this be a similar flaw?
No patch for an input validation problem? Is that really all that's going on? Seems like it wouldn't be too hard to release a patch that validates input....
But instead you have to take down your security package...?!?!?!
Does anyone know the real details of the problem?
I mean...there are better ways to admin a server than through a web browser.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.