Date: Thu, 14 Dec 2000 09:59:07 -0600 (CST) From: J Bacher <jb@jbacher.com> To: security@FreeBSD.ORG Subject: Re: Details of www.freebsd.org penetration Message-ID: <Pine.OSF.4.21.0012140927300.1770-100000@ns.shawneelink.net> In-Reply-To: <20001214070649.A25429@citusc.usc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 14 Dec 2000, Kris Kennaway wrote:
> As promised, here are the details of the recent penetration of the
> www.freebsd.org server.
>
> As several people guessed, the initial penetration involved weaknesses
> in the CGI scripts running on the website. This gained control of user
> nobody, and then a local root vulnerability was leveraged to gain root
> access to the machine.
> [stuff deleted]
> The www cgi scripts have since been audited by several people for
> other vulnerabilities, four of which were found and corrected (I don't
This brings up an excellent point. It would be great if I could
out-source the responsibility of reviewing [and optionally correcting] C
or Perl code prior to making it available to webserver customers.
Is there a centralized source of {reputable, qualified} individuals that
provide this service?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.OSF.4.21.0012140927300.1770-100000>