#125 BIG SECURITY HOLE

closed-fixed
David Norman
Other (26)
9
2001-12-24
2001-12-23
Anonymous
No

Couldnt find an email anywhere 2 mail this stuff 2.

There is a nice lil .,.. uhm big hole in thatware.
Makes it possible 2 execute any command you want under
the privileges of the webserver.
Usualy I mail this kinda stuff 2 admins, but since
there was no nice lil email addy around on the page I
guess I'll post it here

I wont explain the hole here, but it exists and I
checked it on http://thatware.org/

proof:

your webserver runs under the user nobody (as usual)

The pwd for your site is:
/usr/www/users/that

and "df" gives me:
Filesystem 512-blocks Used Avail Capacity
Mounted on
/dev/ad0s1a 793790 184310 545978 25% /
/dev/ad0s1f 24274084 16216192 6115966 73% /usr
/dev/ad0s1e 2034654 1069772 802110 57% /var
procfs 8 8 0
100% /root/proc

and here are the last lines of the /etc/passwd on
kfin.pair.com
which apears 2 be the place thatware.org is hosted.

ehren:*:3326:1000:Maldoy Eva:/usr/home/ehren:/bin/csh
whitebab:*:3327:1000:Barbara
White:/usr/home/whitebab:/bin/csh
cassa:*:3328:1000:Christian
Lie:/usr/home/cassa:/usr/bin/passwd
lbwgroup:*:3329:1000:Michael
Ranner:/usr/home/lbwgroup:/bin/csh
ribb:*:3330:1000:Maggie
Ribb:/usr/home/ribb:/usr/bin/passwd
jayjans:*:3331:1000:Chris Goerner and Colleen
Moore:/usr/home/jayjans:/usr/bin/passwd
libros:*:3332:1000:Carlos
Domingo:/usr/home/libros:/usr/local/bin/ksh
cecile:*:3333:1000:Cecile
Fisler:/usr/home/cecile:/usr/bin/passwd
elashine:*:3334:1000:Roberto
Ballarini:/usr/home/elashine:/usr/bin/passwd

ohw well: you get the point.
If yah wanne contact me: mail me. ONLY the
siteowners/developers pls.
And pls remove this post when you have mailed me.

Discussion

  • Logged In: NO

    Hmmmmm

    didnt see my email anyware. maybe the admins can see it. In
    case not:
    try me@gooner.dhs.org

     
  • David Norman
    David Norman
    2001-12-23

    • priority: 5 --> 9
    • assigned_to: nobody --> deekayen
     
  • David Norman
    David Norman
    2001-12-23

    Logged In: YES
    user_id=14655

    Email sent to submitter. Waiting for reply.

     
  • David Norman
    David Norman
    2001-12-24

    Logged In: YES
    user_id=14655

    Fixed in CVS and prepared for release as 0.5.3.

     
  • David Norman
    David Norman
    2001-12-24

    • status: open --> closed-fixed