Date: Thu, 25 May 2000 02:17:16 -0700 From: Jeff Lovell <jlovell@COBALT.COM> Subject: Cobalt Networks - Security Advisory - Frontpage To: BUGTRAQ@SECURITYFOCUS.COM Cobalt Networks -- Security Advisory -- 5.25.2000 Problem: With the current installation of Frontpage on RaQ2 and RaQ3, the ability to write data to other websites hosted on the same RaQ. This is due to a permissioning issue with the 'httpd' user. Description: Thanks to Chris Adams <cmadams@hiwaay.net> Chris Adams wrote: "There is a security problem with FrontPage extensions on the Cobalt RaQ2 and RaQ3 web hosting appliances. It allows any user on the system to change, delete, or overwrite a FrontPage site." When a site is uploaded with FP to a RaQ2/3, all of the files are owned by user "httpd" instead of a site-specific user. The Apache web server is also running as user "httpd". Cobalt uses cgiwrap to have CGIs run as the user that owns the CGI instead of "httpd", but it is trivial to bypass cgiwrap and run scripts as user "httpd". Cobalt Networks is dedicated to providing secure platforms. Accordingly, we have just completed a fix for this bug that is available in tar.gz format, which can be found at the following locations: RaQ 3i (x86) tar.gz: ftp://ftp.cobaltnet.com/pub/experimental/secuirty/frontpage/fpx_patch1.tar.gz RaQ 2 (MIPS) tar.gz: ftp://ftp.cobaltnet.com/pub/experimental/secuirty/frontpage/fpx_patch1.tar.gz MD5 sum Package Name -------------------------------------------------------------------------- bb690be8a6cbf3d795ad193c4e51cece fpx_patch1.tar.gz You can verify each rpm using the following command: md5sum fpx_patch1.tar.gz The details on installing this package are located at: ftp://ftp.cobaltnet.com/pub/experimental/secuirty/frontpage/README The package file format (pkg) for this fix is currently in testing, and will be available in the very near future. Jeff Lovell Cobalt Networks jlovell@cobalt.com