Hello. I am releasing this very late, as SnortCenter v0.9.6 has been released for a few weeks now. This bug was discovered a couple of months ago, but not released at the request of Stefan Dens, the author of SnortCenter. SnortCenter is a php based tool for aggregating many snort sensors into one place to make it easy to keep rules and configurations synchronized. Upon choosing to "push" the rules out to a particular sensor, a file is created in the temp directory with the same name as the sensor. So, if your sensor is named "hal" and you push the rules out to it, on the webserver, a file is created /tmp/hal With permissions 777. This means that *anyone* with access to the SnortCenter server's /tmp directory could read the sensor config files, among other fun /tmp games. Interesting bits in these files include the usernames/passwords/addresses of the alert database servers. TO FIX: v0.9.6 has been recently released, and should be upgraded to. Also I have attached a patch for 0.9.5 that uses a more random name(not sure of the security of php4's tempnam() function), and secure permissions on the file. You can get v0.9.6 at snortcenter's home page. http://users.pandora.be/larc/ Clint Byrum ---------------------------- http://spamaps.org/ http://excellenceintech.com/
Attachment:
snortcenter_v095-tmpfix.patch
Description: Binary data
