Nat Bayles wrote:
> Yep,,,, something to do with having some app pirahna installed on your
> system. There is a backdoor logon to bypass any supervisor logons.....
> Then will allow you to exec commands as root
> I'v seen this on 6.1 and up.....
Oh, really? Are you positive? My understanding is that there is no
"login". There's a php3 page that's supposed to be protected by a
.htaccess file. There is, unfortunately, a default password in the
version provided with 6.2. Due to a flaw (not a back door) in the php3
code, you can execute commands as "nobody", not root. That _might_
allow an attacker to deface your web site if:
You chose to install pirhana (it's not installed by default)
You did not change the password on the php3 interface AND
Your permissions are set poorly.
> The only way to get around it is not to have it installed at all, even
> if you're not using it.
If you're not using it, there's no sense in having it installed. Basic
security involves removing any services that you aren't using.
You can change the password on the interface. This _is_ what Red Hat
intended for administrators to do. It's in the docs, AFAIK. Red Hat
also released an errata package which I believe comes with no default
password (the page is unaccessable until you set one), and fixes the
flaw.
MSG
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
