| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 24 Apr 2003 18:23:57 -0400 (EDT) From: Shawn Duffy <pakkit@...epiranha.org> To: Damieon Stark <visigoth@...uritycentric.com> Subject: Re: Nokia IPSO Vulnerability I would agree that this isn't the best configuration and should probably be changed, but I would like to know how many people are putting untrusted user accounts on a Nokia box? Shawn Duffy, CCNA CCSA email: pakkit at codepiranha dot org web: http://codepiranha.org/~pakkit gpg key: http://codepiranha.org/~pakkit/pakkit.asc gpg fpr: 8988 6FB6 3CFE FE6D 548E 98FB CCE9 6CA9 98FC 665A having problems reading email from me? http://codepiranha.org/~pakkit/pgp-trouble.html On Thu, 24 Apr 2003, Damieon Stark wrote: > On Thu, Apr 24, 2003 at 01:32:50PM -0300, Jorge Merlino wrote: > > I don't think that is a vulnerability. > > The file /etc/master.passwd has read access for all users. Monitor can also > > read it in a ssh session. > > I you try that URL in a file with, let's say, 660 permissions you get a > > blank page. > > Ummm... What am I missing here? Does it seem _crazy_ to anybody else that > the permissions on the file containing some of the most sensitive information > on the system would have read access to all users? This is clearly NOT > the default on any of the BSD systems (including the one from which IPSO is > derived) that I am aware of. > > Can anybody else confirm the permissions required to read the file? Can > anybody else confirm that the /etc/master.passwd file is a+r? > > I would have to call this a vulnerability either way.... > > -visigoth > > >
Powered by blists - more mailing lists