[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: ISS Security Advisory: Backdoor Password in Red Hat Linux
From:       Cristian Gafton <gafton () REDHAT ! COM>
Date:       2000-04-25 22:29:54
[Download RAW message or body]

On Tue, 25 Apr 2000, Aleph One wrote:

> Backdoor Password in Red Hat Linux Virtual Server Package

As probably it is clear by now, this is not a backdoor. The advisory
refers to the *default password* for a service and by any common sense
standards this does not fit the definition of a backdoor.

> Impact:
>
> With this backdoor password, an attacker could compromise the web server as
> well as deface and destroy the web site.

Now, wait a minute. How flashy can an advisory be made? Granted the
security problem is serious (I do not dispute that), but how does this
implies that one has immediate access to deface a web site?! The web
server runs as nobody, and I have yet to hear of sane installations that
have the .html files owned by nobody.

The remote users can get a shell access on a web server. *That* is the
serious security vulnerability. Whatever the attacker can do from there on
is a matter of the internal security on a web server. But just having this
shell does not guarantee the destruction of a web site, as the ISS
advisory seems to imply.

Cristian
--
----------------------------------------------------------------------
Cristian Gafton     --     gafton@redhat.com      --     Red Hat, Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  "How could this be a problem in a country where we have Intel and
   Microsoft?"  --Al Gore on Y2K

[prev in list] [next in list] [prev in thread] [next in thread]