Bugtraq mailing list archives
Re: piranha default password/exploit
From: cdi () THEWEBMASTERS NET (CDI)
Date: Tue, 25 Apr 2000 18:36:52 -0700
On Mon, 24 Apr 2000, Max Vision wrote:
The first problem is the default account and password that protect the web directory containing the administrative php3 scripts.
This is, I think, the crux of the problem. "Default passwords" are, by definition, not passwords. They are crutches used by lazy developers and are all too often left unchanged by even more lazy administrators. OK, so they've fixed the poorly thought out system call that led to this compromise, but I'd suggest a change to the RPM spec file for the next build. Something like this should work? (Philip?) - force them to set a password during the installation process... ----------<snip>---------- --- piranha.spec.in.orig Mon Apr 24 00:35:34 2000 +++ piranha.spec.in Tue Apr 25 18:12:55 2000 @@ -115,6 +115,7 @@ %post gui chown nobody /home/httpd/html/piranha/secure/passwords +htpasswd /home/httpd/html/piranha/secure/passwords piranha %changelog * Sat Apr 23 2000 Philip Copeland <copeland () redhat com> ----------<snip>---------- CDI ____________________________________ The Web Master's Net http://www.thewebmasters.net/ Today's Excuse: Sysadmin accidentally destroyed pager with a large hammer.
Current thread:
- Alert: Cart32 secret password backdoor (CISADV000427), (continued)
- Alert: Cart32 secret password backdoor (CISADV000427) Cerberus Security Team (Apr 26)
- Re: Alert: Cart32 secret password backdoor (CISADV000427) Bill Borton (Apr 28)
- Re: Alert: Cart32 secret password backdoor (CISADV000427) Knud Erik Højgaard (Mar 30)
- Re: Solaris 7 x86 lpset exploit. Jor (Apr 27)
- Re: Solaris 7 x86 lpset exploit. Casper Dik (Apr 28)
- Re: piranha default password/exploit Cristian Gafton (Apr 25)
- Re: piranha default password/exploit CDI (Apr 25)
- Re: piranha default password/exploit Matt Wilson (Apr 26)
- fingerd Psarras Nikos (Apr 27)
- Re: fingerd Brock Sides (Apr 27)
- Re: fingerd Jeremy Rauch (Apr 27)
- Cartfix Secret Backdoor Patch tool for cart32 Weld Pond (Apr 27)
- Re: ISS Security Advisory: Backdoor Password in Red Hat Linux Virtual Server Package Cristian Gafton (Apr 25)