Bugtraq mailing list archives
Re: BigIP - bigconf.cgi holes
From: r.gilde () F5 COM (Rob Gilde)
Date: Wed, 10 Nov 1999 18:59:49 -0800
Guy Cohen writes: | unfortunately This effects version 2.1.2 too. | I have added (using the html interface) user with READ-ONLY access, logged | in as this user and by executing | 'bigconf.cgi?command=view_textfile&file=/etc/master.passwd&filters=;' I was | able to see the the encrypted passwords in /etc/master.passwd witch is for | root eyes only. Good point. That slipped past us. We will release a patch on Thursday 11/10, Version 2.1.2 PTF-02. Hopefully this will not be a problem for most customers since they are very unlikely to give access to a malicious user. The patch will be available through the normal means. Ejovi Nuwere writes: | So if I understand correctly, F5 has made many improvements to the | security of BigIP. Now was adding a second account with uid 0 without the | knowlede of the user part of that plan? | This is blatently bad security practice, every BigIP box I have come | across has this account. Not only did you add a shell account, but you did | the same for the browser configuration tool: The second account has always been part of the product, so it is not something that we slipped in. It has always been visible to any user who looked for it. Most importantly, the account is only used by F5 Networks when a customer has explicitly requested that F5 do so. I apologize to any customers who were caught unaware of this. In any case, now that you've brought up the subject, we have re-evaluated the advantages and disadvantages of having this account and we have decided to henceforth disable it by default. We will be contacting each of our customers individually and recommending that they disable the support account or change the password. Even though your posting included hashed passwords, since the hashing algorithm is very strong, we do not believe that any BIG/ip or 3DNS units have a security risk at this time. Customer feedback like this has helped us improve the quality of the products since their inception, not only in security, but in capabilities and usability. We are very grateful! Rob Gilde Product Development Manager voice: 206-505-0857 email: rob () f5 com F5 Networks, Inc. 200 First Avenue West, Suite 500 Seattle, WA 98119 http://www.f5.com 1-888-88BIGIP <!-- body="end" --> <HR> <UL> <LI><STRONG>Next message:</STRONG> Gwendolynn ferch Elydyr: "F5 Networks Security Advisory (fwd)" <LI><STRONG>Previous message:</STRONG> Richard Trott: "Re: BIND NXT Bug Vulnerability" <LI><STRONG>In reply to:</STRONG> Elias Levy: "BIND NXT Bug Vulnerability" </UL> <HR> <SMALL> This archive was generated by hypermail 2.0b3 on Wed Nov 10 1999 - 21:08:35 CST</EM> </EM> </SMALL> </BODY> </HTML>
Current thread:
- Re: BigIP - bigconf.cgi holes Rob Gilde (Nov 09)
- Re: BigIP - bigconf.cgi holes Guy Cohen (Nov 10)
- <Possible follow-ups>
- Re: BigIP - bigconf.cgi holes Rob Gilde (Nov 10)