Hello Roy, > I am taking over several web sites, and found that the users for both sites > have VERY weak passwords... as in many are 3 digit numeric passwords (they > use birthdates of mo/yr). Once I finished shuddering at the fact of such a > weak set of passwords I started thinking. > > As long as I dont allow telnet access or site admin status to any of these > weak users, would it be safe to add them with the existing passwords? I > noticed all I can see as a lowly site user is ftp-ing into my own local web > space.
Two problems that I can see immediately with this: 1. If they have weak passwords and someone does gain access it does of course mean that they (the hacker) can then upload/download/deface the data on the site. If you also have email enabled for that user they can then spam through that user account, impersonate them through their email address and retrieve their email. Even without mail enabled they could upload a trivial CGI script that simply allows them to spam through the server, and not only that, but reads data on your server that you or your other users may not have secured with appropriate directory and file permissions. 2. Exploits are often found that require a valid user account to accomplish the task of obtaining elevated privileges. A recent example is the wu-ftpd exploit that requires a valid user account initially (I believe that this could also be anonymous access via ftp too). Once the hacker has gained access to this "lowly" user account they then have made the step they require to then implement the exploit to gain elevated (root) privileges adn they're all over your box. Even if there are no current known exploits with the packages installed, there could well be one in the (near) future which a weak password protected account could prove very dangerous. I'd _give_ them new passwords and tell them what they are before allowing them to access the server. It might then be prudent to test their passwords once they inevitably change them using a brute-force tool (of which there are many) to make sure they haven't simply set them back to something stupid. Regards, Jonathan Michaelson Community CGI Scripts http://www.webumake.com _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
