[ previous ] [ next ] [ threads ]
 
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Rob Whyte <rob at g dash labs dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] status.cgi security issue - IMPORTANT!
 Date:  Thu, 2 Oct 2003 08:56:40 +0200 (CEST) 
On Wed, 1 Oct 2003, Rob Whyte wrote:

> I noticed today that included in the status.cgi page is the xml
> configuration file (config.xml) which shows the passwords for login and pptp
> clients in PLAIN TEXT. There is no password required to get to this page,
> and is viewable by anyone inside the firewall.

Ouch - looks like an undocumented "feature" in mini_httpd (compared to
thttpd which did allow .htpasswd to traverse directories). A fixed image
(pb16r501) has been released and pb16r500 has been removed.

EVERBODY WHO RUNS pb16r500 IS STRONGLY URGED TO UPGRADE IMMEDIATELY!!

- Manuel