lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040728080027.GB749@uni-duesseldorf.de>
Date: Wed, 28 Jul 2004 10:00:27 +0200
From: Andreas Beck <becka-list-bugtraq@...atec.de>
To: bugtraq@...urityfocus.com
Subject: Re: CVS woes: .cvspass


Valdis.Kletnieks@...edu wrote:
> On Tue, 27 Jul 2004 03:00:52 +0900, Chiaki <ishikawa@...rim.or.jp>  said:
> > Granted that many of these files under user home directories
> > visible on the web
> > must be the password to be used by anonymous server or
> > publicly usable CVS server, but I doubt if ALL of them
> > are the result of such benign neglect.
> If a user's home directory is visible via a web browser, the .cvspass
> is probably not the biggest problem....

It looks like quite some people check the .cvspass into cvs itself. When
doing a quick check of yesterdays advisory, most hits were from
cvs-viewing utilities.

Maybe they just don't know what .cvspass is for and think "oh, there's a
.cvs in there, I'd better check it in". Of course this doesn't explain
why they move it into the respective directory in the first place, as
it usually resides in $HOME, while CVS sources usually create their own
directory on checkout.

Also note, that for exploitation you do not even need to reverse the
password. You just add the .cvspass entries to your own .cvspass and 
get access.


Kind regards,

Andreas Beck

-- 
Andreas Beck
http://www.bedatec.de/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ