Bugtraq mailing list archives
Re: cvs security problem
From: Kev <klmitch () MIT EDU>
Date: Fri, 28 Jul 2000 14:20:42 -0400
I found two security problems in cvs-1.10.8.
From the CVS info page (Node: Password authentication security):
The separate CVS password file (*note Password authentication server::) allows people to use a different password for repository access than for login access. On the other hand, once a user has non-read-only access to the repository, she can execute programs on the server system through a variety of means. Thus, repository access implies fairly broad system access as well. It might be possible to modify CVS to prevent that, but no one has done so as of this writing. (cvs version 1.10.7; I'd be suprised if .8 has changed that much in this respect.) This has been the case for quite some time. It would be nice if CVS could be made more secure, but it would probably take a lot of work. -- Kevin L. Mitchell <klmitch () mit edu>
Current thread:
- cvs security problem Tanaka Akira (Jul 28)
- Re: cvs security problem Kev (Jul 29)
- Re: cvs security problem Tanaka Akira (Jul 29)
- Re: cvs security problem Greg A. Woods (Jul 29)
- Re: cvs security problem Tanaka Akira (Jul 29)
- Re: cvs security problem Greg A. Woods (Jul 29)
- Re: cvs security problem Tanaka Akira (Jul 29)
- Re: cvs security problem Kev (Jul 29)