Bugtraq mailing list archives
Yet another (minor) SGI bug
From: joku () BTGIX8 BGI UNI-BAYREUTH DE (Joerg Kuemmerlen)
Date: Tue, 5 Aug 1997 14:36:29 +0000
Last Saturday I was cleaning up my web page directory, and I found a 'index.html.N' file created by our new O2 (via NFS). Apparently this is just a default home page 'outbox' was creating at the time when I was first login onto the new O2 machine. Outbox was even clever enough to realize that I already had a index.html and was therefore writing the 'index.html.N' file. I was close to deleting it, when I thought I might have a look on the content of that file ;-)) I was a little bit angry, when I read that mail might be send to me under an email address like joku@O2internetaddress.NISDoimainname I was tracing down the bug to a few lines in the outbox shell script located at : /var/X11/xdm/firsttime/outbox There one finds : # # compute hostname # host=`/usr/bsd/hostname` if [ -x /usr/bin/domainname ] ; then hostonly=`echo $host | sed -e 's/\..*$//'` thisdomain=`/usr/bin/domainname` if [ "$thisdomain" != "" ] ; then server=$host.$thisdomain else server=$host fi else server=$host fi This line does all the damage: thisdomain=`/usr/bin/domainname` $thisdomain will contain the NIS daomain name,if NIS is running on the machine. The $server variable is finally used in the html file: <p>Send <a href="mailto:$UserName@$server">email to me.</a> <p>My machine is: <a href="/cgi-bin/MachineInfo">$host</a> $server thus apparently contains the NIS domainname if NIS is running. I guess that most of you know what to do in order to hack the whole NIS domain once you have the NIS domain name ;-)) I was just crosschecking the whole thing with a few IRIX 6.3 and IRIX 6.4 machines running NIS and I found that the NIS domainname was written to all default homepages *LOL*. Furthermore I was checking a few O2 machines on the net - and again : The NIS domain name could be found on the 'outbox' default homepages of users, who most likely do not even know that they have a homepage at all ;-)). I guess the whole thing is a minor bug only: in most cases I have checked NIS domain name and real domain name have been identical (and easy to guess) anyway ;-)) Information has been sent to SGI Security headquarter and DFN-CERT A few questions remain : 1.) Why has the domain name to be used ?? hostname would simply be enough. 2.) Do SGI software engineers think about their code at all ?? 3.) Has all SGI software to be tested by users instead of SGI software engineers ?? 4.) When will SGI stop this kind of WWW nonsense ?? Cheers Joerg -- ************************************************************************* * Joerg Kuemmerlen | * * Bayerisches Geo-Institut | It's a * * Universitaet Bayreuth | fulltime * * D-95440 Bayreuth | job for * * Germany | anyone * * | to stay * * Tel.: ++49-921-55 37 19 | alive. * * Fax : ++49-921-55 37 69 | * * email: joku () uni-bayreuth de | J. Cocker * * WWW: http://torech-ungol.bgi.uni-bayreuth.de/~joku | * *************************************************************************
Current thread:
- Yet another (minor) SGI bug Joerg Kuemmerlen (Aug 05)