Re: piranha default password/exploit

[gafton () REDHAT COM (Cristian Gafton)]

On Mon, 24 Apr 2000, Max Vision wrote:

> The first problem is the default account and password that protect the web
> directory containing the administrative php3 scripts.  This is what ISS
> called a "backdoor" - which is actually a default password.  (If ISS found
> something other than what I found, please email me...)

I can't speak for ISS, but as the one that handled this errata release
form Red Hat's side I can say that they did not discover anything else. I
am still trying to figure out how they settled on this "backdoor" term; on
the other hand it is hard for me to argue that any other term that
applies to this vulnerability does not draw the press crowd and gets the
attention that "backdoor" does.

It would be fine if they had used this term in order to alert everybody
and get more attention from the system administrators rather than the
press at large; but again, making it sound like Red Hat intended to screw
everybody on purpose gets more hits on the web pages.

This is not a backdoor (or the ISS people are being extremely creative
with what a backdoor is). If you deploy a service on the Internet without
paying any attention to the written documentation (which tells you to
change the password), then pretty much you're setting yourself up for
this. At any rate, a backdoor and a default password are NOT the same
thing and it is a pity to see ISS employing creativity for stretching
definitions like this.

Cristian

--
----------------------------------------------------------------------
Cristian Gafton     --     gafton () redhat com      --     Red Hat, Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  "How could this be a problem in a country where we have Intel and
   Microsoft?"  --Al Gore on Y2K