Bugtraq mailing list archives
Re: Irix and WWW
From: jkb () MRC-LMB CAM AC UK (James Bonfield)
Date: Mon, 19 May 1997 09:38:22 +0100
Yuri Volobuev wrote: [lots of stuff about SGI incompetence, especially with regards to security.] I've recently been playing with our O2 too. I spotted the webdist.cgi problem immediately (by luck, it was the first script I bothered to look at). The presence of symlinks makes everything worse. There are dozens of them, some going outside the /var/www area. These point to other places (eg /usr/demos) with yet more links. I couldn't obviously find any that pointed to something as daft as /, but I did verify from another host on our network that it's possible to download SoftWindows95 from the O2 web server! My initial idea for this was to disable external WWW access for now, and complete removal later. (We'd like it available to localhost (bugs and all) for a while just to have some fun with the demos :-)) Then I realised that I can't figure out how to disable it. There's the ACL stuff in /usr/ns-home/httpacl which apparently claims that the default is the deny anyone and allow localhost. I don't understand the file format though so I'm unsure of why this isn't working. The SGI documentation on such things simply refers me to ns-admin. So, I started ns-admin and connected to localhost:81. What a pile of cack - it just doesn't work! I can't get anything out of it other than the message "this requires netscape version 2 or above". It's just as well really as it had a default account of admin with no password. So now we haven't only got to be wary of which passwordless accounts they create in /etc/passwd, but in other places too. As for the version mismatch - I was using SGIs own web browser supplied on the system, so I simply put that down to bug ridden code. The bugs continue from there. It's not only the WWW stuff. I have a problem mounting NFS disks. I did my usual 'edit /etc/fstab' and cut and pasted my standard lumps in there. "mount -vat nfs" verified that it worked. However this isn't done on bootup. I haven't had time to see why yet, but I decided to use the "official" way using the file system manager GUI. This simply told me "The NFS subsystem is not installed on this machine". AGGHGH! If I get one more stupid BUGGY error then it's going out the window. I'm amazed by how SGI manage to "improve" upon their security holes with each release. What's next - a GUI to solve those "forgotten root password" events? Oh, sorry I forgot, they've already written that. James -- James Bonfield (jkb () mrc-lmb cam ac uk) Tel: 01223 402499 Fax: 01223 213556 Medical Research Council - Laboratory of Molecular Biology, Hills Road, Cambridge, CB2 2QH, England. Also see Staden Package WWW site at http://www.mrc-lmb.cam.ac.uk/pubseq/
Current thread:
- Irix and WWW Yuri Volobuev (May 16)
- SunOS exploit. Trevor Linton (May 18)
- Re: SunOS exploit. Christopher X. Candreva (May 19)
- Re: SunOS exploit. Austin Schutz (May 19)
- Re: SunOS exploit. Daniel Reish (May 20)
- Re: SunOS exploit. Christopher X. Candreva (May 19)
- Re: Irix and WWW James Bonfield (May 19)
- Re: Irix and WWW Bill Paul (May 19)
- SunOS exploit. Trevor Linton (May 18)