On Tue, Jan 18, 2000 at 12:21:03AM +0000, foo wrote:
> Nortel's new Contivity seris extranet switches
> (http://www.nortelnetworks.com/products/01/contivity) give administrators
> the ability to enable a small HTTP server and use Nortel's web based
> administration utility to handle configuration and maitenance.
> The server runs atop the VxWorks operating system and is located in the
> directory /system/manage. A CGI application, /system/manage/cgi/cgiproc
> that is used to display the administration html pages does not properly
> authenticate users prior to processing requests. An intruder can
> view any file on the switch without logging in.
As a user of the aforementioned product, its important to note that
only the management side (read: your internal network) can access
the HTTP server of the switch (by default, though I don't even think
you can change this.)
I'm not downplaying the stupidity of cgiproc, I'm just saying lets not
all run and turn our contivity switches off.
--
Bill Fumerola - Network Architect
Computer Horizons Corp - CVM
e-mail: [EMAIL PROTECTED] / [EMAIL PROTECTED]
Office: 800-252-2421 x128 / Cell: 248-761-7272
