Re: [cpx] Security Breach!

[Rus Berrett <rberrett@xxxxxxxxx>]

On Fri, Apr 14, 2006 at 03:31:54PM -0600, Jonathan Duncan wrote:
>
> Subject: [cpx] Security Breach!
>
> Ok, I am worried.  I did not even stop to check if this was in the 
> archives or not.
> 
> I was just logged into CPX as the "server admin user".  Just for kicks I 
> decided to try to access a file that should not have been accessible at 
> all.  Before I accessed the file, it looked like this:
> 
> -rw-------   1 root         wheel           1584 Jan 25 09:11 secrets.txt
> 
> To my shock and horror I was able to view the file in CPX 
> (fortunately I was using HTTPS).  

Server admins can go anywhere and do anything in the file manager... and
it has always been this way.  So this is not a suprising discovery (to me
at least).


> After I accessed the file it looked like 
> this:
> 
> -rw-rw----   1 root         www             1584 Jan 25 09:11 secrets.txt
> 
> Ummmm.... does anyone else see the major security issue(s) here?!

I just attempted to replicate this behavior on my [development] box 
and on the master production servers and was not successful.  

Just curious... what is the full pathname to secrets.txt in your 
scenario?


> 
> Is this a known bug?  Is this a feature?  If so, it is a terrible 
> feature, IMESHO.
> 
> Thanks,
> Jonathan
> ======================================================================
> This is <cpx@xxxxxxxxxxxxx>      <http://www.groupmail.org/lists/cpx/>
> Before posting a question, please search the archives (see above URL).

-- 
========================================================================
Rus Berrett                                                    NTT/Verio
                 See Perl. See Perl Run. Run Perl, Run!

======================================================================
This is <cpx@xxxxxxxxxxxxx>      <http://www.groupmail.org/lists/cpx/>
Before posting a question, please search the archives (see above URL).