![[LWN Logo]](/images/lcorner.png)
![[LWN.net]](/images/Included.png)
|
|
|
|
Date: Sat, 24 Feb 2001 17:21:42 -0000 From: John Brock <peppertech@SUN.COM> Subject: Re: Advisory: Chili!Soft ASP Multiple Vulnerabilities To: BUGTRAQ@SECURITYFOCUS.COM There have been various issues related to security brought to the attention of Chili!Soft. While we are working as quickly as possible to address the more detailed issues, we would like to provide as much information as possible on the current status to help remove as much exposure as possible in the short term. Chili!Soft is dedicated to providing a safe, secure environment for both our customers and their clients. There have been 4 specific issues presented to us. We will cover each in their own section below. 1) Issue: Chili!Soft ASP installs a default username and password for the ASP Admin Console when you choose to install using the "default" installation. Solution: The Admin console username and password can be changed by telneting to the machine and running the "admtool" utility. You must be root to run this utility. Once the utility is started, you can list the existing users, delete, and/or add additional users. It is always strongly advisable to remove any default settings as quickly as possible. Note: By choosing the "custom" installation method, instead of the default, you will be prompted for the ASP Admin console username and password. Software Versions Affected: Linux 3.5.2, AIX 3.6 2) Issue: Chili!Soft ASP sample applications contain the ability to view the source of the sample ASP applications. This "codebrws.asp" script can be exploited to view any files on the system where the full path to the file location is known. Solution: Disable the sample directories. This can be done in different ways, depending on your environment. a) For Chili!Soft customers on Linux environments or using Chili!Soft ASP v3.6 on AIX, go to the ASP Admin Console, click on the ASP Applications link, and remove all of the Chili!Soft ASP Applications that are listed. These all begin with the prefix /caspsamp. b) For customers on Solaris, HP, or previous AIX environments, telnet to the machine and change to the asp engines directory (/opt/casp/asp-apache-3000 by default). Open the casp.cnfg file and comment out the Chili!Soft ASP Sample Applications listed at the bottom of the file under the [ASP Applications] section. Again, these all begin with the prefix /caspsamp. c) The ability to view the ASP Sample applications is limited to the Root web server of a machine. They can not be accessed from a virtual host by default. If you are running in a shared hosting environment, your customers will only have the ability to access the /caspsamp virtual directory *if* they are connecting to the root web server on your machine. Chili!Soft ASP has the ability to enable asp support on a per virtual host basis when used with Apache web servers. You can disable ASP support for the root web server. On Linux and AIX v3.6 installations, this can be done in the Admin Console. Note: *All* of the file access issues presented in the BugTraQ Advisory "Chili!Soft ASP Multiple Vulnerabilities" are directly related to the ability to reach the /caspsamp virtual directory. If one can not view the ASP Sample applications from the web, one can not access the configuration and log files from the web. Software Versions Affected: All Chili!Soft releases on UNIX. 3) Issue: Chili!Soft ASP installs certain configuration files with permission settings that allow world-readable access. Solution: The removal of access to the ASP samples, by performing one of the steps listed in Item (2) above, will block the ability for anyone to view or modify the ASP configuration and log files without having direct access to the filesystem. We have also determined that a number of the files can safely be set to a higher degree of security. Below is a list of what can be done at this time. a) All files in the ASP engines directory (/opt/casp/asp-apache-3000 by default), can be set to either 600 or 700 accordingly, EXCEPT casp.cnfg and odbc.ini. These two files must not be set to any permissions lower than 644. b) In the CASP installation root directory (/opt/casp by default), you can change the permissions on the global_odbc.sh file to 600. Other specific file permission issues are being addressed as quickly as possible and will be modified in an upcoming release. Changing permissions to these files necessitates some changes to our product that must be blessed by Quality Assurance prior to public release in order to ensure that the product will continue to function as expected. We are well underway with this cycle and will try to post updates as appropriate. Software Versions Affected: All Chili!Soft releases on UNIX (on versions other than Linux, filenames and locations may be modified somewhat.) 4) Issue: InheritUser security mode does not properly set the Group ID. Solution: This must be addressed at the code level and thus there is no configuration workaround that can be immediately applied. This issue is in the process of being addressed in the upcoming v3.6 release on Solaris, Linux, and HP. We are working to have this new release available as quickly as possible. We expect to have specific dates available in the upcoming week. Software Versions Affected: All Linux release. Solaris, HP, and AIX *only* when used with Apache webserver in multithread mode. We appreciate your patience with these issues. We also appreciate that your comments and findings help improve our product for everyone. Please do not hesitate to bring up any concerns you may have by contacting us at tech@chilisoft.com.