View Issue Details

IDProjectCategoryView StatusLast Update
0000733websitesecurity-placeholderpublic2005-01-04 22:47
Reporterherrold 
PrioritylowSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
PlatformOtherOSotherOS Version
Product Versionunspecified 
Target VersionFixed in Version 
Summary0000733: non-SSL access to admin interfaces -- three instances
Descriptionplaceholder
TagsNo tags attached.

Activities

herrold

herrold

2005-01-04 22:40

reporter   ~0002222

Last edited: 1970-01-01 00:00

Date: Tue, 04 Jan 2005 13:20:00 -0600
From: donavan nelson <donavan@4wx.net>
To: security@centos.org
Subject: non secure login

http://caos1.caosity.org/www/adminphp/
Lets me login and view data without using ssl....

==============================================

yup -=- not right

in looking I also found a ~ with passwords lying around

there are two or three instances

[herrold@caos1 herrold]$ locate adminphp
/var/www/html/www/adminphp
/var/www/html/webupdate/adminphp
/backups/caosity/www/html/adminphp
[herrold@caos1 herrold]$


Fix is:

<?php
/* $Id: index.php,v 1.54 2003/07/11 09:35:05 rabus Exp $ */
// vim: expandtab sw=4 ts=4 sts=4:

$PORT = $_SERVER["SERVER_PORT"];
if ("$PORT" == "80") {
        print "SSL logins only please.
";
        exit ;
        }

herrold

herrold

2005-01-04 22:41

reporter   ~0002223

Last edited: 1970-01-01 00:00

add reporter
herrold

herrold

2005-01-04 22:42

reporter   ~0002224

Last edited: 1970-01-01 00:00

alter subject line to meaningful value
herrold

herrold

2005-01-04 22:45

reporter   ~0002225

Last edited: 1970-01-01 00:00

fixed in second locale:


[root@caos1 adminphp]# scp index.php _backup_index.php
[root@caos1 adminphp]# rm *~
rm: remove regular file `config.inc.php~'? y
rm: remove regular file `index.php~'? y
[root@caos1 adminphp]#
herrold

herrold

2005-01-04 22:47

reporter   ~0002226

Last edited: 1970-01-01 00:00

and the third -- all done

Issue History

Date Modified Username Field Change
2005-01-04 22:40 herrold URL => http://caos1.caosity.org/www/adminphp/
2005-01-04 22:40 herrold Status NEW => ASSIGNED
2005-01-04 22:40 herrold cclist_accessible 1 => 0
2005-01-04 22:41 herrold CC => donavan@4wx.net
2005-01-04 22:42 herrold cclist_accessible 0 => 1
2005-01-04 22:42 herrold Summary placeholder => non-SSL access to admin interfaces -- three instances
2005-01-04 22:47 herrold Status ASSIGNED => RESOLVED
2005-01-04 22:47 herrold Resolution => FIXED