Bugtraq mailing list archives
Re: Security problem in ESRI's ArcDoc 7.0.4
From: svenw () sgu se (Sven.Wijk)
Date: Fri, 24 May 1996 11:05:48 +0200
*** GIS & ESRI/ARC/Info shops take note! *** The program "fm_fls" as distributed with ESRI's "ArcDoc" package (7.0.4) contains a bug which allows us to (a) add somewhat arbitrary data to any file and (b) changes the permissions of that file to rw-rw-rw-.
The program doesn't seem to be there in the version we are running (7.0.2). Downgrading might be an alternative solution. Please correct me if i'm wrong! A quick search in the ArcInfo directories showed 4 other programs suid to root. Do we have a potential for problems? Our GIS-people earlier looked at ESRI's product ArcStorm. Its client-server solution is built on: - a bunch of programs suid to root - the client must be trusted hosts to the server, by means of the /etc/.rhost or /etc/host.equiv file. This made me very uneasy, and i finaly managed to get them to drop their ArcStorm-dreams, and to search for some more security minded solution. It seems that security isn't a high priority issue for ESRI's developers. --- Sven.Wijk () sgu se
Current thread:
- Security problem in ESRI's ArcDoc 7.0.4 James W. Abendschan (May 23)
- Re: Security problem in ESRI's ArcDoc 7.0.4 Andrew Raphael (May 24)
- <Possible follow-ups>
- Re: Security problem in ESRI's ArcDoc 7.0.4 Sven.Wijk (May 24)
- Re: Security problem in ESRI's ArcDoc 7.0.4 James W. Abendschan (May 24)
- Re: Security problem in ESRI's ArcDoc 7.0.4 James W. Abendschan (May 24)