Security Advisory

  |   Source

tags:

Dominic White drew my attention to this on a mailing list earlier today, so I decided to investigate. Syrex Intranets, an apparently small technology outfit, have a product they call SICS. It basically seems to be a customized Linux server installation that has all the bells and whistles that small business would want, with a web-based management system and so on. I’m guessing this product is responsible for the problem that I will now describe.

The first instance of this site I saw was KOSH Communications; their SICS management site is publically available. I’m only guessing this is provided by SICS, as there is no identification of this fact on the site itself. I ran across it with a google search that picked up publically available Squid logfiles, but didn’t take much notice of it. However, when someone else independently pointed out a separate site, the similarity in content, appearance, and domain name was evident.

So, over to Google; with a little effort, I was able to construct a Google query that will pick up all (or most) of these sites that are publically available. I’m not sure whether this is a configuration issue that can be fixed easily, or if it is a fundamental flaw in the “SICS” system; either way, at the time of this writing, that query returns 71 sites. You can view MRTG traffic graphs, Squid cache logs, mount/unmount the CD-ROM drive, and more from the internet, without entering a password or otherwise authenticating in any way. Syrex’s own site seems to be vulnerable, suggesting a fundamental flaw rather than a configuration issue.

It also has a copy of Unix Unleashed, including a copyright statement which they seem to be blatantly violating. In addition, many (all) of these sites seem to be hosted off ADSL lines with IP addresses located in the dynamic SAIX ADSL range, and as such may be violating the ISP’s AUP. I would strongly suggest that anyone using one of these systems take it offline, and contact Syrex right away to demand a fix.

UPDATE: Whoops, meant to link singe, so I’m now referencing him by name to make up for it.

UPDATE: Got a reply from someone at Syrex on 2005/08/18 saying that they’ve fixed the issue, and promising a more in-depth reply at a later stage. They also claim that “David wrote one of the articles in Unix Unleashed and is therefor not infringing on any copyright.” You can confirm for yourself that all of these sites now require HTTP Basic Authentication credentials to access anything except the front page, which seems adequate to me. I’ll continue to update this post as/when I received more information.

Comments powered by Disqus