Three new bugs and vulnerabilities for the Raq4 were found yesterday.
They're:
- Cross Site Scripting.
- Traversal vulnerabilities.
- Denial Of Service.

Be aware that there's an exploit scipt for the DoS.

The full story can be read at http://online.securityfocus.com/archive/1/259015

A quick fix was posted to the cobalt-security list (http://list.cobalt.com/pipermail/cobalt-security/2002-March/004639.html)

-------Start Original message-----------------------------------------------
First of all I have to tell you that Raq3 is affected as well.
Secondly I would like to suggest you a quick and easy fix:

in your dir
/usr/admserv/cgi-bin/.cobalt/alert
(this is a Raq3 path, I don't have a Raq4 but surely others can supply you
the rught one)
you will find a .htaccess that I have modify as follows

----[start]-------------
# Access file for /usr/admserv/cgi-bin/.cobalt/alert/ (admin )
order allow,deny
#allow from all
require user admin
Authname CobaltRaQ
Authtype Basic

allow from 127.0.0.1
allow from y.y.y.
allow from x.x.x.x
---[end]-----------------

where y.y.y. is my class c and x.x.x.x is my office gateway.

This solution will not disable the service nor the alert but should stop
exploiting the found vulnerabilities until a proper fix is supplied.


Audric Leperdi
--------------End Original Message-----------------------------------------

Isn't there a way to restrict access to that admin stuff all together?

Make sure you read all the replies to that original message.. I'm not sure the jury is in on this one yet..

Shortz

The scripts that are vulnerable are password protected by the GUI. So the only way to run the exploit on your server would be if someone had your admin password, which is another problem.

Mike

Peter N. Go posted some solutions for the vulnerabilities to the BugTraq mailing list.

Here it is:

---------------------------------------------------------------------------------
Here are some possible solutions for the items enumerated and described by
Mr. Alex Hernandez in his "Colbalt-RAQ-v4-Bugs&Vulnerabilities" message.

------------------------
1. CROSS SITE SCRIPTING.
------------------------
Possible workaround: Instead of deleting or disabling the "service.cgi"
file, edit the file and add a line that strips out HTML tags. Something
like this:

$service =~ s/<([^>])*>//g;

This may be added after this line in the code:

my $service = $q->param('service');


-----------------------------
2. TRAVERSAL VULNERABILITIES.
-----------------------------
Possible workaround: Create an .htaccess file in the /usr/admserv/html
directory with the following entry:

<Files .htaccess>
Order allow,deny
Deny from all
</Files>

This should prevent all .htaccess files from being viewed by any web browser.


---------------------
3. DENIAL OF SERVICE.
---------------------
Possible workaround: Again, in the "service.cgi" file, add a simple check
for the length of the string passed. In this example, if the string is >
500 chars, the program exits.

if (length($service) > 500) { exit; }


Hope these info somehow help.
------------------------------------------------------------

For references go to:

Sun Cobalt RaQ Service.CGI HTTP Server Denial of Service Vulnerablity
http://online.securityfocus.com/bid/4209

Sun Cobalt RaQ Directory Traversal File Reading Vulnerability
http://online.securityfocus.com/bid/4208

Last I heard those vulnerabilities were bogus.. Apparently they all require being logged in as admin.. Some exploit huh :)

*NoComment*

PS: don't take my word for it.. security is no joke.