Date: Fri, 21 May 1999 12:08:00 +0200 From: Jakub Urbanec To: Subject: ExLibris Aleph Web server Security Alert We have found a security hole in web server bundled with Aleph librarian system ver. 3.25 and higher (ExLibris). The web server in its default configuration allows anybody to view any file in the system the aleph instalation owner can access. It it very simple to grab for example /etc/passwd file from Aleph web server. The bug with all details was already posted to ExLibris and to some groups of Aleph users. Workaround: 1) do not run web server as root at any circumstance! 2) use /etc/shadow or similar system 3) use tcpd wrappers for denying possible logins 4) watch logs from web server Please spread this message to Aleph admins! Jakub CUBA++ Urbanec ..................................................................... Univerzitni 20 tel.:+420-19-7491538 Jakub Cuba++ Urbanec 306 14, Plzen LPS-CIV-ZCU Czech Republic