COMMAND
Chili!Soft ASP
SYSTEMS AFFECTED
Chili!Soft ASP 3.5.2 and possibly previous versions.
PROBLEM
Stan Bubrouski found following.
- A remote user could potentially view sensative information and
take remote control of the server.
- The installer installs a default username and password for the
adminstrative console if auto-detect of settings is used.
- There are also several serious file permissions problems.
Chili!Soft ASP ships with samples scripts which are located in
/opt/casp/caspsamp by default and are installed on webservers by
default accessable via http://<server>/caspsamp/ A sample script
named codebrws.asp prolly taken from IIS/4.0 originally is
vulnerable to a "../" attack allowing sensative information to be
revieled to remote users. During brief testing Stan was only able
to get the script to read files on directory above the caspsamp
directory which is the /opt/casp directory by default. This
directory contains database usernames/passwords, the server logs,
and the username/password to administration console. With the
password to the administrative console a remote user with web
access can remotely manage the server thus openning endless
possibilies since the console runs as root.
It appears they attempted to prevent people from viewing files
outside the samples directory because when Stan tried with an url
not containing /caspsamp/ at the begining it would fail and warn
him that he is not allowed to view files outside the samples
directory.
The installer program installs a default username and password for
adminstration console which is remotely accessable via the web.
The username/password are stored in the file
/opt/admin/conf/service.pwd which is probably the only file
installed with the correct permissions (in this case mode 600).
There are several files installed mode 666 which is a serious
no-no as some logs and configuration files are affected by this.
On Stan's system the following files were installed mode 666:
/opt/casp/logs/install_summary
/opt/casp/logs/install
/opt/casp/logs/register
/opt/casp/logs/server-3000
/opt/casp/logs/component
/opt/casp/caspsamp/401K/database/QEDBF.INI
/opt/casp/caspsamp/friendship/agent/database/QEDBF.INI
/opt/casp/caspsamp/friendship/client/database/QEDBF.INI
/opt/casp/caspsamp/QEDBF.INI
/opt/casp/chilicom/lib/hkey.current.user
/opt/casp/chilicom/lib/hkey.local.machine
/opt/casp/INSTALL/.webserver-cache
/opt/casp/.installed_db
/opt/casp/admin/conf/hkey.current.user
/opt/casp/admin/conf/hkey.local.machine
/opt/casp/admin/logs/server
This may seem bad it gets worse. Most of the files dealing with
databases such as global_odbc.ini and odbc.ini are all
world-readable and thus by default expose passwords administrators
may lator install to local users. All configuration files for the
server and subsequent other services offered Chili!Soft ASP are
also world-readable exposing even more useful information to
local users.
Examples:
http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../admin/conf/service.pwd
http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../global_odbc.ini
http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../admin/logs/server
http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../LICENSE.LIC
http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../logs/server-3000
SOLUTION
The Admin console username and password can be changed by
telneting to the machine and running the "admtool" utility. You
must be root to run this utility. Once the utility is started,
you can list the existing users, delete, and/or add additional
users. It is always strongly advisable to remove any default
settings as quickly as possible. By choosing the "custom"
installation method, instead of the default, you will be prompted
for the ASP Admin console username and password.
Disable the sample directories. This can be done in different
ways, depending on your environment.
a) For Chili!Soft customers on Linux environments or using
Chili!Soft ASP v3.6 on AIX, go to the ASP Admin Console, click
on the ASP Applications link, and remove all of the Chili!Soft
ASP Applications that are listed. These all begin with the
prefix /caspsamp.
b) For customers on Solaris, HP, or previous AIX environments,
telnet to the machine and change to the asp engines directory
(/opt/casp/asp-apache-3000 by default). Open the casp.cnfg
file and comment out the Chili!Soft ASP Sample Applications
listed at the bottom of the file under the [ASP Applications]
section. Again, these all begin with the prefix /caspsamp.
c) The ability to view the ASP Sample applications is limited to
the Root web server of a machine. They can not be accessed
from a virtual host by default. If you are running in a
shared hosting environment, your customers will only have the
ability to access the /caspsamp virtual directory *if* they
are connecting to the root web server on your machine.
Chili!Soft ASP has the ability to enable asp support on a per
virtual host basis when used with Apache web servers. You
can disable ASP support for the root web server. On Linux
and AIX v3.6 installations, this can be done in the Admin
Console.
The removal of access to the ASP samples, by performing one of
the steps listed in Item (2) above, will block the ability for
anyone to view or modify the ASP configuration and log files
without having direct access to the filesystem. We have also
determined that a number of the files can safely be set to a
higher degree of security. Below is a list of what can be done
at this time.
a) All files in the ASP engines directory
(/opt/casp/asp-apache-3000 by default), can be set to either
600 or 700 accordingly, EXCEPT casp.cnfg and odbc.ini. These
two files must not be set to any permissions lower than 644.
b) In the CASP installation root directory (/opt/casp by
default), you can change the permissions on the global_odbc.sh
file to 600.
Other specific file permission issues are being addressed as
quickly as possible and will be modified in an upcoming release.
Changing permissions to these files necessitates some changes to
product that must be blessed by Quality Assurance prior to public
release in order to ensure that the product will continue to
function as expected.