From owner-freebsd-security Thu Dec 14 7:59:14 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 07:59:13 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from ns.shawneelink.net (ns.shawneelink.net [216.240.66.11]) by hub.freebsd.org (Postfix) with ESMTP id DE4DD37B400 for ; Thu, 14 Dec 2000 07:59:12 -0800 (PST) Received: from ns.shawneelink.net (ns.shawneelink.net [216.240.66.11]) by ns.shawneelink.net (8.10.1/8.10.1) with ESMTP id eBEFx7I06881 for ; Thu, 14 Dec 2000 09:59:07 -0600 (CST) Date: Thu, 14 Dec 2000 09:59:07 -0600 (CST) From: J Bacher X-Sender: jb@ns.shawneelink.net To: security@FreeBSD.ORG Subject: Re: Details of www.freebsd.org penetration In-Reply-To: <20001214070649.A25429@citusc.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 14 Dec 2000, Kris Kennaway wrote: > As promised, here are the details of the recent penetration of the > www.freebsd.org server. > > As several people guessed, the initial penetration involved weaknesses > in the CGI scripts running on the website. This gained control of user > nobody, and then a local root vulnerability was leveraged to gain root > access to the machine. > [stuff deleted] > The www cgi scripts have since been audited by several people for > other vulnerabilities, four of which were found and corrected (I don't This brings up an excellent point. It would be great if I could out-source the responsibility of reviewing [and optionally correcting] C or Perl code prior to making it available to webserver customers. Is there a centralized source of {reputable, qualified} individuals that provide this service? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message