COMMAND

    ExLibris Aleph Web server

SYSTEMS AFFECTED

    Those using ExLibris Aleph Web server

PROBLEM

    Jakub Urbanec  found a  security hole  in web  server bundled with
    Aleph librarian system ver. 3.25  and higher (ExLibris).  The  web
    server in  its default  configuration allows  anybody to  view any
    file in the system the aleph instalation owner can access.  It  it
    very simple to  grab for example  /etc/passwd file from  Aleph web
    server.  The bug with  all details was already posted  to ExLibris
    and to some groups of Aleph users.

SOLUTION

    1) do not run web server as root at any circumstance!
    2) use /etc/shadow or similar system
    3) use tcpd wrappers for denying possible logins
    4) watch logs from web server