Topic: root password change - by design or security flaw ???

[Andre Courchesne]

Hi all,

  I noticed that by usuing the following command, an admin user can easilly change the root password:

http://yoursmeserver/server-manager//cgi-bin/useraccounts?state=passwd&acct=root

  Is this by design or could be a security flaw?

  Notice that I am using 5.1beta4 I have not tried it with the release 5.12.

----
Andre Courchesne - Consultant
http://www.acc.dns2go.com

[Luke Drumm]

Might I suggest this would of been better posted to the security email address first instead of to a public bulletin board?

Regards,
Luke

[Luke Drumm]

Might I suggest this would of been better posted to the security email address first instead of to a public bulletin board?

Regards,
Luke

[Rich Lafferty]

It's not a *security* flaw, because you have to be logged into the server-manager
as admin to be able to do it -- and if you're logged into the server-manager
as admin, you may as well click the "Password" option and change the
admin password the usual way.

It may not be by design, though. I'll ensure Engineering knows of it, but
keep in mind the only way to trigger it is to login as admin and then call the
panel with arguments that would never otherwise occur. Someone with
the admin password could login as root and run "passwd" to obtain the
same outcome, because the admin and root passwords are the same.

In other words, if someone with the admin (and therefore root) password
wants to break the system, he'll probably succeed. It's therefore crucial to
make sure the admin password is only known to those who are trusted
to administer the system.

Lastly, please remember that the forums are a poor venue to report
bugs, as we aren't able to read every post. Please send bug reports
in future to bugs@e-smith.com, and security-related messages to
security@e-smith.com.

Thanks,

Rich Lafferty