Bugtraq mailing list archives
Re: midnight commander vulnerability(?)
From: thomas () SUSE DE (Thomas Biege)
Date: Wed, 18 Aug 1999 12:48:05 +0200
Hi,
privileges of $HOME/.mc/ are default rwx-rx--rx- if anyone has used built in mc ftp-client and has put link like: password:> password:user () some host, in file history in foledr $HOME/.mc/ is stored in a key in '[inp FTP to machine ]' tree.
The current version (4.5.37) of mc, that is used by SuSE creates the history file mode 600 independently of the umask. Nevertheless, I think it's a very bad behavior to record account informations, because it could be used by a cracker to gain access to more sites. The authors of mc should disable recording these kind of stuff. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas () suse de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = E3 42 DA D1 3B 9C 23 D0 93 1F B8 2E 6B 9A 45 82
Current thread:
- Re: midnight commander vulnerability(?) Thomas Biege (Aug 18)
- Re: midnight commander vulnerability(?) Norbert Warmuth (Aug 24)