COMMAND

    Chili!Soft ASP

SYSTEMS AFFECTED

    Chili!Soft ASP 3.5.2 and possibly previous versions.

PROBLEM

    Stan Bubrouski found following.
    - A remote user  could potentially view sensative  information and
      take remote control of the server.
    - The installer installs a  default username and password for  the
      adminstrative console if auto-detect of settings is used.
    - There are also several serious file permissions problems.

    Chili!Soft ASP  ships with  samples scripts  which are  located in
    /opt/casp/caspsamp by default and  are installed on webservers  by
    default accessable via http://<server>/caspsamp/  A sample  script
    named  codebrws.asp  prolly  taken  from  IIS/4.0  originally   is
    vulnerable to a "../" attack allowing sensative information to  be
    revieled to remote users.  During brief testing Stan was only able
    to get the  script to read  files on directory  above the caspsamp
    directory  which  is  the  /opt/casp  directory  by default.  This
    directory contains database usernames/passwords, the server  logs,
    and the  username/password to  administration console.   With  the
    password  to  the  administrative  console  a remote user with web
    access  can  remotely  manage  the  server  thus  openning endless
    possibilies since the console runs as root.

    It appears  they attempted  to prevent  people from  viewing files
    outside the samples directory because when Stan tried with an  url
    not containing /caspsamp/ at the  begining it would fail and  warn
    him  that  he  is  not  allowed  to view files outside the samples
    directory.

    The installer program installs a default username and password for
    adminstration console  which is  remotely accessable  via the web.
    The     username/password     are     stored     in     the   file
    /opt/admin/conf/service.pwd  which  is  probably  the  only   file
    installed with the correct permissions (in this case mode 600).

    There are  several files  installed mode  666 which  is a  serious
    no-no as some logs and  configuration files are affected by  this.
    On Stan's system the following files were installed mode 666:

        /opt/casp/logs/install_summary
        /opt/casp/logs/install
        /opt/casp/logs/register
        /opt/casp/logs/server-3000
        /opt/casp/logs/component
        /opt/casp/caspsamp/401K/database/QEDBF.INI
        /opt/casp/caspsamp/friendship/agent/database/QEDBF.INI
        /opt/casp/caspsamp/friendship/client/database/QEDBF.INI
        /opt/casp/caspsamp/QEDBF.INI
        /opt/casp/chilicom/lib/hkey.current.user
        /opt/casp/chilicom/lib/hkey.local.machine
        /opt/casp/INSTALL/.webserver-cache
        /opt/casp/.installed_db
        /opt/casp/admin/conf/hkey.current.user
        /opt/casp/admin/conf/hkey.local.machine
        /opt/casp/admin/logs/server

    This may seem bad it gets  worse.  Most of the files  dealing with
    databases   such   as   global_odbc.ini   and   odbc.ini  are  all
    world-readable and thus by default expose passwords administrators
    may lator install to local users.  All configuration files for the
    server and  subsequent other  services offered  Chili!Soft ASP are
    also  world-readable  exposing  even  more  useful  information to
    local users.

    Examples:

        http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../admin/conf/service.pwd
        http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../global_odbc.ini
        http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../admin/logs/server
        http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../LICENSE.LIC
        http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../logs/server-3000

SOLUTION

    The  Admin  console  username  and  password  can  be  changed  by
    telneting to the machine and  running the "admtool" utility.   You
    must be root to  run this utility.   Once the utility is  started,
    you can  list the  existing users,  delete, and/or  add additional
    users.   It is  always strongly  advisable to  remove any  default
    settings  as  quickly  as  possible.   By  choosing  the  "custom"
    installation method, instead of the default, you will be  prompted
    for the ASP Admin console username and password.

    Disable the  sample directories.   This can  be done  in different
    ways, depending on your environment.
    a)  For  Chili!Soft  customers  on  Linux  environments  or  using
        Chili!Soft ASP v3.6 on AIX, go to the ASP Admin Console, click
        on the ASP Applications link, and remove all of the Chili!Soft
        ASP Applications that  are listed.   These all begin  with the
        prefix /caspsamp.
    b)  For  customers on Solaris,  HP, or previous  AIX environments,
        telnet to the machine and change to the asp engines  directory
        (/opt/casp/asp-apache-3000 by  default).   Open the  casp.cnfg
        file and  comment out  the Chili!Soft  ASP Sample Applications
        listed at the bottom of the file under the [ASP  Applications]
        section.  Again, these all begin with the prefix /caspsamp.
    c)  The ability to view the ASP Sample applications is limited  to
        the Root web server  of a machine.   They can not be  accessed
        from a  virtual host  by default.   If you  are running  in  a
        shared hosting environment, your customers will only have  the
        ability to  access the  /caspsamp virtual  directory *if* they
        are  connecting  to  the  root  web  server  on  your machine.
        Chili!Soft ASP has the ability to enable asp support on a  per
        virtual host  basis when  used with  Apache web  servers.  You
        can disable  ASP support  for the  root web  server.  On Linux
        and AIX  v3.6 installations,  this can  be done  in the  Admin
        Console.

    The removal  of access  to the  ASP samples,  by performing one of
    the steps  listed in  Item (2)  above, will  block the ability for
    anyone  to  view  or  modify  the  ASP configuration and log files
    without having  direct access  to the  filesystem.   We have  also
    determined that  a number  of the  files can  safely be  set to  a
    higher degree of security.   Below is a list  of what can be  done
    at this time.
    a) All     files     in     the     ASP     engines      directory
       (/opt/casp/asp-apache-3000 by  default), can  be set  to either
       600 or 700 accordingly,  EXCEPT casp.cnfg and odbc.ini.   These
       two files must not be set to any permissions lower than 644.
    b) In  the  CASP   installation  root  directory  (/opt/casp    by
       default), you can change the permissions on the  global_odbc.sh
       file to 600.

    Other  specific  file  permission  issues  are  being addressed as
    quickly as possible and will  be modified in an upcoming  release.
    Changing permissions to these  files necessitates some changes  to
    product that must be blessed by Quality Assurance prior to  public
    release  in  order  to  ensure  that  the product will continue to
    function as expected.