Bugtraq mailing list archives
Re: Nokia IPSO Vulnerability
From: Damieon Stark <visigoth () securitycentric com>
Date: Thu, 24 Apr 2003 13:34:49 -0500
On Thu, Apr 24, 2003 at 01:32:50PM -0300, Jorge Merlino wrote:
I don't think that is a vulnerability. The file /etc/master.passwd has read access for all users. Monitor can also read it in a ssh session. I you try that URL in a file with, let's say, 660 permissions you get a blank page.
Ummm... What am I missing here? Does it seem _crazy_ to anybody else that the permissions on the file containing some of the most sensitive information on the system would have read access to all users? This is clearly NOT the default on any of the BSD systems (including the one from which IPSO is derived) that I am aware of. Can anybody else confirm the permissions required to read the file? Can anybody else confirm that the /etc/master.passwd file is a+r? I would have to call this a vulnerability either way.... -visigoth
Current thread:
- Nokia IPSO Vulnerability Jonas Eriksson (Apr 24)
- RE: Nokia IPSO Vulnerability Jorge Merlino (Apr 24)
- Re: Nokia IPSO Vulnerability Damieon Stark (Apr 24)
- Re: Nokia IPSO Vulnerability Shawn Duffy (Apr 24)
- Re: Nokia IPSO Vulnerability Valdis . Kletnieks (Apr 24)
- RE: Nokia IPSO Vulnerability Jorge Merlino (Apr 24)
- Re: Nokia IPSO Vulnerability Damieon Stark (Apr 24)
- <Possible follow-ups>
- RE: Nokia IPSO Vulnerability Miller, Rick (Apr 24)
- RE: Nokia IPSO Vulnerability Iain.King (Apr 24)
- RE: Nokia IPSO Vulnerability Jorge Merlino (Apr 24)