While we are working as quickly as possible to address the more detailed issues, we would like to provide as much information as possible on the current status to help remove as much exposure as possible in the short term. Chili!Soft is dedicated to providing a safe, secure environment for both our customers and their clients.
There have been 4 specific issues presented to us. We will cover each in their own section below.
1) Issue: Chili!Soft ASP installs a default username and password for the ASP Admin Console when you choose to install using the "default" installation.
Solution: The Admin console username and password can be changed by telneting to the machine and running the "admtool" utility. You must be root to run this utility. Once the utility is started, you can list the existing users, delete, and/or add additional users. It is always strongly advisable to remove any default settings as quickly as possible.
Note: By choosing the "custom" installation method, instead of the default, you will be prompted for the ASP Admin console username and password.
Software Versions Affected: Linux 3.5.2, AIX 3.6
2) Issue: Chili!Soft ASP sample applications contain the ability to view the source of the sample ASP applications. This "codebrws.asp" script can be exploited to view any files on the system where the full path to the file location is known.
Solution: Disable the sample directories. This can be done in different ways, depending on your environment.
a) For Chili!Soft customers on Linux environments or using Chili!Soft ASP v3.6 on AIX, go to the ASP Admin Console, click on the ASP Applications link, and remove all of the Chili!Soft ASP Applications that are listed. These all begin with the prefix /caspsamp.
b) For customers on Solaris, HP, or previous AIX environments, telnet to the machine and change to the asp engines directory (/opt/casp/asp-apache-3000 by default). Open the casp.cnfg file and comment out the Chili!Soft ASP Sample Applications listed at the bottom of the file under the [ASP Applications] section. Again, these all begin with the prefix /caspsamp.
c) The ability to view the ASP Sample applications is limited to the Root web server of a machine. They can not be accessed from a virtual host by default. If you are running in a shared hosting environment, your customers will only have the ability to access the /caspsamp virtual directory *if* they are connecting to the root web server on your machine. Chili!Soft ASP has the ability to enable asp support on a per virtual host basis when used with Apache web servers. You can disable ASP support for the root web server. On Linux and AIX v3.6 installations, this can be done in the Admin Console.
Note: *All* of the file access issues presented in the BugTraQ Advisory "Chili!Soft ASP Multiple Vulnerabilities" are directly related to the ability to reach the /caspsamp virtual directory. If one can not view the ASP Sample applications from the web, one can not access the configuration and log files from the web.
Software Versions Affected: All Chili!Soft releases on UNIX.
3) Issue: Chili!Soft ASP installs certain configuration files with permission settings that allow world-readable access.
Solution: The removal of access to the ASP samples, by performing one of the steps listed in Item (2) above, will block the ability for anyone to view or modify the ASP configuration and log files without having direct access to the filesystem. We have also determined that a number of the files can safely be set to a higher degree of security. Below is a list of what can be done at this time.