Hello Adobes /etc/passwd



  • Interesting thread on Reddit:

    http://reddit.com/info/2tpxi/comments

     

    The Adobe server is down now, fortunately for them, but not before a whole list of passwords, config files, and various system information were pulled out and posted. All from a simple path injected in the URL.

     

    Tisk tisk Adobe,  the real WTF is that a company that big isn't running their webservers in a Chroot jail and isn't validating their input. Especially if a local file is being passed as a parameter!



  • So the WTF is that even large companies have incompetent web developers and system administrators?  Excuse me while I shit myself in awe.



  • Heh, pretty amazing. Someone needs new keys now...

    Unrelated, I find it amusing that half of the discussion seems to revolve around the correct spelling of "Touché". True Internet style.
     



  • @PSWorx said:

    Unrelated, I find it amusing that half of the discussion seems to revolve around the correct spelling of "Touché". True Internet style.

    Recently on a forum I occasionally visit some guy was asking for advice about leaving his wife and declaring his love for another woman. Within twenty or so responses the whole thing had degenerated into a flame war about the respective merits of Oracle and SQL Server :-D



  • @nickfitz said:

    @PSWorx said:
    Unrelated, I find it amusing that half of the discussion seems to revolve around the correct spelling of "Touché". True Internet style.

    Recently on a forum I occasionally visit some guy was asking for advice about leaving his wife and declaring his love for another woman. Within twenty or so responses the whole thing had degenerated into a flame war about the respective merits of Oracle and SQL Server :-D
    That's because only small-brained morons use Oracle.  Flame on! 



  • @nickfitz said:

    @PSWorx said:
    Unrelated, I find it amusing that half of the discussion seems to revolve around the correct spelling of "Touché". True Internet style.

    Recently on a forum I occasionally visit some guy was asking for advice about leaving his wife and declaring his love for another woman. Within twenty or so responses the whole thing had degenerated into a flame war about the respective merits of Oracle and SQL Server :-D

    Ok, please link to that. It sounds like it'll be a hilarious read. Or am I the only one who reads flame wars for entertainment purposes?



  • @BradleyS said:

    @nickfitz said:
    @PSWorx said:
    Unrelated, I find it amusing that half of the discussion seems to revolve around the correct spelling of "Touché". True Internet style.

    Recently on a forum I occasionally visit some guy was asking for advice about leaving his wife and declaring his love for another woman. Within twenty or so responses the whole thing had degenerated into a flame war about the respective merits of Oracle and SQL Server :-D

    Ok, please link to that. It sounds like it'll be a hilarious read. Or am I the only one who reads flame wars for entertainment purposes?

     

    Better than starting flame wars for entertainment purposes, like me.



  • @kimos said:

    Interesting thread on Reddit:

    http://reddit.com/info/2tpxi/comments

     

    The Adobe server is down now, fortunately for them, but not before a whole list of passwords, config files, and various system information were pulled out and posted. All from a simple path injected in the URL.

    I see no hint of anybody extracting passwords, nor would I expect them to - unix systems haven't stored passwords in /etc/passwd in years. Even if you did, you still have to break md5 to use them, and rainbowcrack is mostly useless against unix md5 hashes.

    Furthermore, on any reasonably sane unix system, no information can be collected in this manner which is of any real threat. This is the sort of things that makes managers wet themselves and sysadmins shrug. It would only be a problem in the movies; in the real world, it's pretty much harmless. Unix systems are designed to be accessed in this manner, with any random user being able to look at the public files, and remain secure.


    the real WTF is that a company that big isn't running their webservers in a Chroot jail

     

    That really doesn't accomplish anything much. It's the sort of thing that people like to talk about on the web, but it's not much more meaningful than "remodulate the shield harmonics". chroots have their applications, but only in very rare circumstances do they add any security.


Log in to reply