Fair enough, I was just poking a bit with that comment.
I know it's like blaming the gun for killing someone instead of the
person who pulled the trigger...
But as a last little nudge:
Sony's situation right now would be a good case about how sys admins can
mess up big with simple things like patching or divulging information...
On 6/1/2011 11:44 AM, Tony Zakula wrote:
C'mon already. If you are sys admin and you create the scenario
below, you deserve to be hacked.
Tony Z
On Wed, Jun 1, 2011 at 12:41 PM, Mini IT<[email protected]> wrote:
So it's a none issue because an attacker will not have the correct
information?
Social engineering falls into "not my problem" for the developers?
On 6/1/2011 11:16 AM, Jędrzej Nowak wrote:
The attack is not that easy as it looks like:
#1 you need to have admin on localhost:9090 (or any other known
combination)
#2 you need to visit infected page (from the same browser - because
there is user/password protection)
#3 you need to submit 2 forms (with fake data) => one for changing
values, second for 'apply'.
#4 you need to know the current cherokee structure (otherwise
cherokee-admin will refuse it)
Greetings,
Jędrzej Nowak
On Wed, Jun 1, 2011 at 5:21 PM, Mini IT<[email protected]> wrote:
Out of curiosity why is this not an issue?
I would think the ability to reconfigure and execute arbitrary commands
on a
server is a pretty big issue even if the chance of it happening is slim..
http://seclists.org/fulldisclosure/2011/Jun/0
"Vendor response: "This isn't an issue."
Problem: the cherokee server admin configuration web interface is
vulnerable to csrf.
Impact: if an admin is logged into the cherokee admin interface and
visits a site which runs "bad tm scripts" cherokee can be reconfigured
to run as $user and set log handlers(hooks) to execute arbitrary
commands (on error and on access)."
_______________________________________________
Cherokee mailing list
[email protected]
http://lists.octality.com/listinfo/cherokee
_______________________________________________
Cherokee mailing list
[email protected]
http://lists.octality.com/listinfo/cherokee
_______________________________________________
Cherokee mailing list
[email protected]
http://lists.octality.com/listinfo/cherokee
