Bugtraq mailing list archives
[ Cobalt ] Security Advisory -- 01.31.2000
From: jeffb () COBALTNET COM (Jeff Bilicki)
Date: Mon, 31 Jan 2000 09:43:04 -0800
Cobalt Networks -- Security Advisory -- 01.31.2000 Problem: For RaQ 1 and RaQ 2: Through improper permissions checking in /.cobalt/siteUserMod/siteUserMod.cgi, any Site Administrator can change the password of the admin (root) account on the system. For RaQ 3: Through improper permissions checking in /.cobalt/siteUserMod/siteUserMod.cgi, any Site Administrator can change the password of any regular user or Site Administrator on the system, but not admin(root). Bug and exploit buy: Chuck Pitre <chuck () oa net> Relevant products and architectures Product Architecture Vulnerable Qube1 MIPS No Qube2 MIPS No RaQ1 MIPS Yes RaQ2 MIPS Yes RaQ3 x86 Yes If your system is at risk you can you can downloaded the relevant package and install it. These are beta versions of the packages, Cobalt is currently testing these packages. RaQ 1 - ftp://ftp.cobaltnet.com/pub/experimental/security/siteUserMod/RaQ1-Security-3.6.pkg RaQ 2 - ftp://ftp.cobaltnet.com/pub/experimental/security/siteUserMod/RaQ2-Security-2.94.pkg RaQ 3 - ftp://ftp.cobaltnet.com/pub/experimental/security/siteUserMod/RaQ3-Security-2.2.pkg If you experience any problems with these packages please email jeffb () cobalt com or security () cobalt com. Jeff Bilicki Software Engineer Cobalt Networks
Current thread:
- [ Cobalt ] Security Advisory -- 01.31.2000 Jeff Bilicki (Jan 31)