There have been various issues related to security
brought to the attention of Chili!Soft.
While we are working as quickly as possible to
address the more detailed issues, we
would like to provide as much information as possible
on the current status to help
remove as much exposure as possible in the short
term. Chili!Soft is dedicated to
providing a safe, secure environment for both our
customers and their clients.
There have been 4 specific issues presented to us.
We will cover each in their own
section below.
1) Issue: Chili!Soft ASP installs a default username
and password for the ASP Admin
Console when you choose to install using
the "default" installation.
Solution: The Admin console username and
password can be changed by telneting to
the machine and running the "admtool" utility. You
must be root to run this utility. Once
the utility is started, you can list the existing users,
delete, and/or add additional users.
It is always strongly advisable to remove any default
settings as quickly as possible.
Note: By choosing the "custom" installation method,
instead of the default, you will be
prompted for the ASP Admin console username and
password.
Software Versions Affected: Linux 3.5.2, AIX 3.6
2) Issue: Chili!Soft ASP sample applications
contain the ability to view the source of
the sample ASP applications. This "codebrws.asp"
script can be exploited to view any
files on the system where the full path to the file
location is known.
Solution: Disable the sample directories. This can
be done in different ways, depending
on your environment.
a) For Chili!Soft customers on Linux
environments or using Chili!Soft ASP v3.6
on AIX, go to the ASP Admin Console, click on the
ASP Applications link, and remove
all of the Chili!Soft ASP Applications that are listed.
These all begin with the prefix
/caspsamp.
b) For customers on Solaris, HP, or
previous AIX environments, telnet to the
machine and change to the asp engines directory
(/opt/casp/asp-apache-3000 by
default). Open the casp.cnfg file and comment out
the Chili!Soft ASP Sample
Applications listed at the bottom of the file under the
[ASP Applications] section. Again,
these all begin with the prefix /caspsamp.
c) The ability to view the ASP Sample
applications is limited to the Root web
server of a machine. They can not be accessed
from a virtual host by default. If you
are running in a shared hosting environment, your
customers will only have the ability to
access the /caspsamp virtual directory *if* they are
connecting to the root web server on
your machine. Chili!Soft ASP has the ability to
enable asp support on a per virtual host
basis when used with Apache web servers. You can
disable ASP support for the root
web server. On Linux and AIX v3.6 installations, this
can be done in the Admin
Console.
Note: *All* of the file access issues presented in the
BugTraQ Advisory "Chili!Soft ASP
Multiple Vulnerabilities" are directly related to the
ability to reach the /caspsamp virtual
directory. If one can not view the ASP Sample
applications from the web, one can not
access the configuration and log files from the web.
Software Versions Affected: All Chili!Soft releases on
UNIX.
3) Issue: Chili!Soft ASP installs certain configuration
files with permission settings that
allow world-readable access.
Solution: The removal of access to the ASP
samples, by performing one of the steps
listed in Item (2) above, will block the ability for
anyone to view or modify the ASP
configuration and log files without having direct
access to the filesystem. We have also
determined that a number of the files can safely be
set to a higher degree of security.
Below is a list of what can be done at this time.
a) All files in the ASP engines directory
(/opt/casp/asp-apache-3000 by default),
can be set to either 600 or 700 accordingly, EXCEPT
casp.cnfg and odbc.ini. These
two files must not be set to any permissions lower
than 644.
b) In the CASP installation root directory
(/opt/casp by default), you can change
the permissions on the global_odbc.sh file to 600.
Other specific file permission issues are
being addressed as quickly as possible
and will be modified in an upcoming release.
Changing permissions to these files
necessitates some changes to our product that must
be blessed by Quality Assurance
prior to public release in order to ensure that the
product will continue to function as
expected. We are well underway with this cycle and
will try to post updates as
appropriate.
Software Versions Affected: All Chili!Soft releases on
UNIX (on versions other than
Linux, filenames and locations may be modified
somewhat.)
4) Issue: InheritUser security mode does not
properly set the Group ID.
Solution: This must be addressed at the code level
and thus there is no configuration
w