Bugtraq mailing list archives

RE: Arkeia Possible remote root & information leakage

From: Neil Curri <NCurri () gjusa com>
Date: Fri, 17 Aug 2001 11:32:36 -0400

Because the salt is known and because the max password length is 8
characters it would not  be beyond the realms of possibility to crack
the password (effectively a root password)

It is only an arkeia "root" password. It's not even a real user with a
shell. Make sure your system root password is different from your arkeia
root password.

once you have access through
the gui, you have the possibility of running a command from the gui
before and after the backup job. This command is run as root and can be
anything.

        I didn't realize this, but it makes sense. If you install the RPM as
the system root, arkeia processes will be run as root.

Use an SSH tunnel (www.ssh.com www.openssh.com)

This article on arkeia's support site explains how to set up an ssh tunnel
through a firewall for arkeia:
http://support.arkeia.com/cgi-bin/arkeia/solution?11=000322-0014&130=0953783
453&14=&2715=&15=&2716=&57=search&58=&2900=JP9cQm9m9p&25=7&3=ssh

Current thread:

Arkeia Possible remote root & information leakage quentyn (Aug 17)
- Re: Arkeia Possible remote root & information leakage Joe Glass (Aug 17)
- <Possible follow-ups>
- RE: Arkeia Possible remote root & information leakage Neil Curri (Aug 17)
- Re: Arkeia Possible remote root & information leakage quentyn (Aug 19)