Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: midnight commander vulnerability(?)

From: thomas () SUSE DE (Thomas Biege)
Date: Wed, 18 Aug 1999 12:48:05 +0200

Hi,


privileges of $HOME/.mc/ are default rwx-rx--rx-
if anyone has used built in mc ftp-client and has put link like:
password:> password:user () some host, in file
history in foledr $HOME/.mc/ is stored in a key in '[inp FTP to machine
]'
tree.


The current version (4.5.37) of mc, that is used by SuSE creates
the history file mode 600 independently of the umask.

Nevertheless, I think it's a very bad behavior to record account
informations, because it could be used by a cracker to gain access
to more sites.
The authors of mc should disable recording these kind of stuff.

Bye,
     Thomas

--
  Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
    E@mail: thomas () suse de      Function: Security Support & Auditing
  "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka"
  Key fingerprint = E3 42 DA D1 3B 9C 23 D0  93 1F B8 2E 6B 9A 45 82
Previous By Date Next
Previous By Thread Next

Current thread: