Re: Security Issues with HIGHSPEEDWEB.NET leased servers

[fractalg () HIGHSPEEDWEB NET (Pedro Hugo)]

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We at High Speed Hosting consider the post by one Brian Mueller, to
BUGTRAQ , at best to be irresponsible and at worst , downright
dangerous to our network and the thousands of business clients
connected to it .
Since we use bugtraq regularly , and realize its charter and purpose
is an informational exchange and not a “complaint box” , we will not
go any further into the personal side of this post.  Instead , here is
a direct reply to any security value that might or might not have been
derived from that post:
First , in response to the statement that Our Security Policy allows
open telnet access to our servers. This is a complete mis-statement
obviously by one who has no idea what he is doing with the
“administration” of his dedicated server.  High Speed Hosting turns
over all dedicated server leases with telnet and daemons denied using
TCPWrappers .  The specific line in hosts.deny is ALL:ALL .
We then urge the customer connected to our network , who has full root
access to his server , and thus  , has full control , to ONLY allow
specific ports that are needed and only by specific IP address . In
fact we urge them to use ONLY a dedicated ip and not open even to a
class c ie:  xxx.xxx.xxx.*
Upon investigating this post we logged on to the dedicated server in
question and noticed the customer himself had removed the ALL:ALL in
the hosts.deny file and thus had opened the server to anyone wanting
to acess it. We consider this a severe risk and unacceptable and we
can't be held responsible for that.

In regards to the second portion of the post which complained of a
problem with our Control Panel system’s email management features ,
High Speed Hosting Security Administrators , aware of the possibility
that another customer hosted on the same server could if he wanted ,
divert email from another customer , immediately began a totally new
Webcontrol [tm]  System which uses a very different email system ,
including the use of qmail instead of sendmail.
This new WebControl  installation/upgrade began 17 days ago and is
progressing nicely and will soon include all Virtual Hosting servers
and Leased Dedicated NetROCK [tm] servers.

One should look before he leaps.

Mr P. Hugo
Director of Security
Genesis II Networks
High Speed Hosting Division
Security Administration Response Team

- - -----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of
Brian
Mueller
Sent: Quinta-feira, 20 de Janeiro de 2000 1:42
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Security Issues with HIGHSPEEDWEB.NET leased servers

Recently I started leased a dedicated server from HIGHSPEEDWEB.NET, it
came
preconfigured (somewhat) and I was told that it would be "secure" for
telnet
(only specifically stated IP address(s) could gain access), etc.
However, I
have found that this is not the case, it seems that they do not place
limiting information in the host.deny file so anyone can still telnet
into
the server.

Also, their mail configuration which allows users to add mail aliases
either
via a web interface or by editing a file called .mailalias in their
home
directories is faulty.  Users may place _ANY_ valid local domain into
this
file and forward mail from that domain to their email address.  The
system
works by running a cron script once per day and updating the sendmail
virtual user database.  The following is an example

person A has a webhosting account on the HIGHSPEEDWEB.NET configured
server,
person B wishes to "steal" email from Person A, they are targeting the
sales () person-a-domain com as the attacked address and they are going
to have
that forwarded to foo () bar com, they add the following line to their
.mailalias file

sales () person-a-domain com    foo () bar com

when the next update occurs any email sent to
sales () person-a-domain com will
be forwarded to foo () bar com, this also works with wildcards i..e.

@person-a-domain.com    foo () bar com

would work if your entry is read into the sendmail virtual user
database
before the one that exists in Person A's directory.

I notified HIGHSPEEDWEB.NET of the security issue well over a month
ago and
have not had any response from them regarding a fix.  I however did
instate
one of my own my forcing users to call myself to have aliases added
for the
time being.

Brian Mueller

*************************************************
Brian Mueller
President/CEO
CreoTech
"We are the future"
www.creotech.com
bmueller () creotech com
513.722.8645
*************************************************
- -----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i

iQA/AwUBOIebj7Q4oqT8+RAqEQKAdwCg2yrLlmHjVMZNP+GenlTy3vZHj+0Amwdo
P5HTatZ4DVhrRYwZIbvdIors
=ICrR
- -----END PGP SIGNATURE-----