lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 09 Aug 2004 20:13:34 +0200
From: Matthias Leisi <matthias@...rum.ch>
To: bugtraq@...urityfocus.com
Subject: Re: SuSE Linux K-Menu YAST Control Center Priviledge Escalation Vulnerability




Radoslav Dejanović wrote:

> It does pose some risk, 
> however, for it might allow unprivileged user to take a look at some data 
> that should be hidden from the user (for example, you can look at firewall 
> settings but can't make changes). 

But if the user is allowed to read this file (eg. somewhere in /etc) 
through Yast, then he can read it anyway, let's say through less.


> On the other hand, you can start yast from console with -firewall switch 
> and have a peek at the settings (still can't make changes), so this isn't 
> KDE fault but flaw in yast itself. It would be wise to add some paranoia 
> to yast so it won't show sensitive data to unprivileged user.   

Which is a bad idea, since it merely hides the problem.

-- Matthias

-- 
Brain-Log                               http://matthias.leisi.net/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ