[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: ISS Security Advisory: Backdoor Password in Red Hat Linux
From: Cristian Gafton <gafton () REDHAT ! COM>
Date: 2000-04-25 22:29:54
[Download RAW message or body]
On Tue, 25 Apr 2000, Aleph One wrote:
> Backdoor Password in Red Hat Linux Virtual Server Package
As probably it is clear by now, this is not a backdoor. The advisory
refers to the *default password* for a service and by any common sense
standards this does not fit the definition of a backdoor.
> Impact:
>
> With this backdoor password, an attacker could compromise the web server as
> well as deface and destroy the web site.
Now, wait a minute. How flashy can an advisory be made? Granted the
security problem is serious (I do not dispute that), but how does this
implies that one has immediate access to deface a web site?! The web
server runs as nobody, and I have yet to hear of sane installations that
have the .html files owned by nobody.
The remote users can get a shell access on a web server. *That* is the
serious security vulnerability. Whatever the attacker can do from there on
is a matter of the internal security on a web server. But just having this
shell does not guarantee the destruction of a web site, as the ISS
advisory seems to imply.
Cristian
--
----------------------------------------------------------------------
Cristian Gafton -- gafton@redhat.com -- Red Hat, Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"How could this be a problem in a country where we have Intel and
Microsoft?" --Al Gore on Y2K
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic