[ Thanks to Nate Case
for this link. ]
“Do you remember the Piranha debacle back in April? Welcome to
Part II. Last Tuesday, it was revealed that Microsoft SQL
Server 7.0 is shipped with a default password – just like Red Hat’s
piranha module. Unlike Piranha, SQL Server is very common software
for large e-business websites. Unlike Piranha, the vulnerable
software has been shipping for months. Unlike Red Hat, Microsoft
refuses to take responsibility for their mistake, which, unlike Red
Hat’s, has resulted in actual documented break-ins, some at
high-profile websites. So why haven’t you read about it?“
“Because unlike Red Hat, Microsoft is getting a pass by the
media.”
“Piranha is web clustering/failover software that was released
in April by Red Hat without much QA. It somehow went out the door
with a default password (“Q”) and without docs explaining in big
bold caps that it must be changed. If you installed the Piranha RPM
without reading the docs carefully, you had a security hole on your
site.”
“The hole allowed an attacker to come in over port 80 and
execute arbitrary commands as the Piranha user, which would have
been the web user. Typically that’s a nonprivileged “nobody”
account. While this is never good, let’s just note for the record
that this is a read-only exploit unless the webserver is very
poorly configured.
“The media flipped, in a word, out.”