Re: Nokia IPSO Vulnerability
From: Damieon Stark (visigoth@securitycentric.com)
Date: 04/24/03
- Previous message: Rager, Anton (Anton): "RE: Cracking preshared keys"
- In reply to: Jorge Merlino: "RE: Nokia IPSO Vulnerability"
- Next in thread: Shawn Duffy: "Re: Nokia IPSO Vulnerability"
- Reply: Shawn Duffy: "Re: Nokia IPSO Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 24 Apr 2003 13:34:49 -0500 From: Damieon Stark <visigoth@securitycentric.com> To: Jorge Merlino <jmerlino@easynet.com.uy>
On Thu, Apr 24, 2003 at 01:32:50PM -0300, Jorge Merlino wrote:
> I don't think that is a vulnerability.
> The file /etc/master.passwd has read access for all users. Monitor can also
> read it in a ssh session.
> I you try that URL in a file with, let's say, 660 permissions you get a
> blank page.
Ummm... What am I missing here? Does it seem _crazy_ to anybody else that
the permissions on the file containing some of the most sensitive information
on the system would have read access to all users? This is clearly NOT
the default on any of the BSD systems (including the one from which IPSO is
derived) that I am aware of.
Can anybody else confirm the permissions required to read the file? Can
anybody else confirm that the /etc/master.passwd file is a+r?
I would have to call this a vulnerability either way....
-visigoth
- Previous message: Rager, Anton (Anton): "RE: Cracking preshared keys"
- In reply to: Jorge Merlino: "RE: Nokia IPSO Vulnerability"
- Next in thread: Shawn Duffy: "Re: Nokia IPSO Vulnerability"
- Reply: Shawn Duffy: "Re: Nokia IPSO Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
