AOH :: Web :: Apps :: CSASP3.HTM

AOH :: Web :: Apps :: CSASP3.HTM
Chili!Soft ASP - license file can be zapped, shutting down ASP services

Vulnerability

    ASP

Affected

    Chili!Soft ASP

Description

    Jim Sander  found following.   The license  file, if  you use  the
    "web console" utility to install/update your server license,  will
    be installed with world-write permission.

    If that file is corrupted or removed chilisoft services will  stop
    functioning due to a license violation.  Anyone who has a shell or
    file write access (or can get it) on the server can zap that  file
    to  effectively  remove  your  web  server's  ASP   functionality.
    Non-ASP should continue to function though.

    This is (at least should  be) a known problem since  the following
    instruction is a quote from their install procedure...
    >> 3. The LICENSE.LIC file must have 777 permissions.

Solution

    If you ignore  their directions and  perform an update  "manually"
    you won't have this problem, since the file will be root:root mode
    644.  The server appears to function fine with this configuration,
    although anyone can still potentially copy your server license.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better). Site design & layout copyright © 1986-2009 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.