Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Servers :: exlaleph.htm

ExLibris Aleph Web server Read Arbitrary Files



Vulnerability

    ExLibris Aleph Web server

Affected

    Those using ExLibris Aleph Web server

Description

    Jakub Urbanec  found a  security hole  in web  server bundled with
    Aleph librarian system ver. 3.25  and higher (ExLibris).  The  web
    server in  its default  configuration allows  anybody to  view any
    file in the system the aleph instalation owner can access.  It  it
    very simple to  grab for example  /etc/passwd file from  Aleph web
    server.  The bug with  all details was already posted  to ExLibris
    and to some groups of Aleph users.

Solution

    1) do not run web server as root at any circumstance!
    2) use /etc/shadow or similar system
    3) use tcpd wrappers for denying possible logins
    4) watch logs from web server


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH