[Full-disclosure] VMware server (2.0.2) insecure file creation

From: <dd_at_nospam>
Date: Wed Jan 06 2010 - 15:07:07 GMT
To: full-disclosure <full-disclosure@lists.grok.org.uk>

Have anyone noticed that the files created by the VMware server installer all have the 777 permissions
to it?

I just installed it on two systems with the same problem....

These are the alerts coming from ossec (the whole /usr/lib/vmware is 777):

File '/usr/lib/vmware/hostd/docroot/print.css' is owned by root and has written permissions to anyone.
File '/usr/lib/vmware/hostd/docroot/client/clients.xml' is owned by root and has written permissions to anyone. File '/usr/lib/vmware/hostd/docroot/sdk/vim.wsdl' is owned by root and has written permissions to anyone.
.. more hundred files...
File '/usr/lib/vmware/hostd/docroot/sdk/vimServiceVersions.xml' is owned by root and has written permissions to anyone. File '/usr/lib/vmware/hostd/docroot/error-32x32.png' is owned by root and has written permissions to anyone.

Link to it:
http://blog.sucuri.net/2010/01/vmware-insecure-file-creation.html

--dd

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

This message: [ Message body ]
Next message: excuseme_at_nospam: "[Full-disclosure] pdp petkov files still available?"
Previous message: Adrian liu: "[Full-disclosure] Need a invitation code of the IIScan.com for test."
Next in thread: Valdis.Kletnieks_at_nospam: "Re: [Full-disclosure] VMware server (2.0.2) insecure file creation"
Reply: Valdis.Kletnieks_at_nospam: "Re: [Full-disclosure] VMware server (2.0.2) insecure file creation"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]