Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RFP9905: Zeus webserver remote root compromise

From: julian () ZEUSTECHNOLOGY COM (Julian Midgley)
Date: Tue, 26 Oct 1999 13:47:14 +0100

Zeus Technology has uploaded new binaries to fix the root compromise bug
in the Zeus Webserver reported by Rain Forest Puppy yesterday.

The bug affects all versions of Zeus prior to 3.3.2.  It is recommended
that customers upgrade as soon as possible.  Customers who are not making
use of the search module are not affected, and need only upgrade if they
plan to start using it in the future.

Full details of how to upgrade to the new binaries are at:

http://support.zeustechnology.com/news/exploit.html

Customers upgrading from version 3.1.9 or earlier will need to follow the
upgrade instructions at:

http://support.zeustechnology.com/faq/entries/z33migrate.html

It is worth noting also, that provided you had set the webserver to run as
non-privileged user, the risk from the search module bug is relatively
slight, as someone exploiting it under those circumstances would find it
difficult to compromise root, provided you have chosen a secure password
for access to the admin server. This should serve as reminder always to
run your web process as a non-root user.

To ensure that the Zeus admin server is as secure as possible, you should
restrict access to the admin server port (9090 by default) to designated
machines. You can do this with by setting access restrictions on the
"Security Settings" configuration page for the admin server, and/or by
configuring your firewall appropriately.

You should also ensure (to prevent Crack-type attacks on your admin server
password), that you choose a password for the admin server which is as
secure as one you choose for root on your machine. (Ie, mixture of
alphanumeric and punction characters, mixture of upper and lowercase, no
dictionary words or parts thereof, etc.)


--
Julian Midgley
Technical Support Manager               jmidgley () zeustechnology com
Zeus Technology                         http://www.zeustechnology.com

For technical support queries, email support () zeustechnology com, being
sure to include your customer account number in the subject header.
Previous By Date Next
Previous By Thread Next

Current thread: