Bugtraq mailing list archives

Re: BigIP - bigconf.cgi holes

From: guy () CRYPTO ORG IL (Guy Cohen)
Date: Wed, 10 Nov 1999 11:30:09 +0200


Hello again,

First of all i mast apologiz for the corrupt date of my last post.
now:

Rob Gilde wrote:
.|
.| Guy is discussing an issue that affects older versions of BIG/ip.
.| As he points out, the risk is from internal users.  In older versions
.| of BIG/ip, there is effectively only one user and that user has root
.| privileges.  That user could execute commands as root through a shell
.| escape in our web-based user interface.
.|
.| As of Version 2.1, this is no longer possible.  The current version
.| of BIG/ip is 2.1.2.  The software update is available for free over
.| the net to all customers with support contracts.
.|

unfortunately This effects version 2.1.2 too.
I have added (using the html interface) user with READ-ONLY access, logged
in as this user and by executing
'bigconf.cgi?command=view_textfile&file=/etc/master.passwd&filters=;' I was
able to see the the encrypted passwords in /etc/master.passwd witch is for
root eyes only.


--
Guy Cohen.

Current thread:

Re: BigIP - bigconf.cgi holes Rob Gilde (Nov 09)
- Re: BigIP - bigconf.cgi holes Guy Cohen (Nov 10)
- <Possible follow-ups>
- Re: BigIP - bigconf.cgi holes Rob Gilde (Nov 10)