Everhart, Glenn From: Michael Gerdts [gerdts@CAE.WISC.EDU] Sent: Monday, November 30, 1998 6:20 PM To: BUGTRAQ@NETSPACE.ORG Subject: Security bugs in Excite for Web Servers 1.1 On November 11 I reported the folloing problmes to ewsbugs@excite.com. I have only recieved an automated reply. I have found numerous security concerns with EWS 1.1 which can lead to an ordinary user being able to gain control over EWS. Problem: The installation program installs several files with world-write permissions. This is bad because one of them (Architext.conf) contains the encrypted password which is used for all authentication. Because of this, any user with shell or non-anonymous FTP access to the web server could modify the encrypted password. Solution: At install time, ask the administrator for the username or uid that CGI scripts are run as. Make the excite installation directory restrictive enough such that only this user can get into the directory and make sure that no files are world-writable. Because of other concerns (such as dictionary attacks) this file should not be world-readable. Problem: All authentication after the initial access to AT-admin.cgi relies solely on the encrypted password. Since any user with shell or FTP access can read Architext.conf, it is trivial for local users to gain administrative privileges over EWS. Thus, a user only needs to have a web page that looks like: