Bugtraq mailing list archives
Re: CVS woes: .cvspass
From: Andreas Beck <becka-list-bugtraq () bedatec de>
Date: Wed, 28 Jul 2004 10:00:27 +0200
Valdis.Kletnieks () vt edu wrote:
On Tue, 27 Jul 2004 03:00:52 +0900, Chiaki <ishikawa () yk rim or jp> said:Granted that many of these files under user home directories visible on the web must be the password to be used by anonymous server or publicly usable CVS server, but I doubt if ALL of them are the result of such benign neglect.If a user's home directory is visible via a web browser, the .cvspass is probably not the biggest problem....
It looks like quite some people check the .cvspass into cvs itself. When doing a quick check of yesterdays advisory, most hits were from cvs-viewing utilities. Maybe they just don't know what .cvspass is for and think "oh, there's a .cvs in there, I'd better check it in". Of course this doesn't explain why they move it into the respective directory in the first place, as it usually resides in $HOME, while CVS sources usually create their own directory on checkout. Also note, that for exploitation you do not even need to reverse the password. You just add the .cvspass entries to your own .cvspass and get access. Kind regards, Andreas Beck -- Andreas Beck http://www.bedatec.de/
Current thread:
- CVS woes: .cvspass Chiaki (Jul 26)
- Re: CVS woes: .cvspass Valdis . Kletnieks (Jul 27)
- Re: CVS woes: .cvspass Andreas Beck (Jul 28)
- Re: CVS woes: .cvspass Greg A. Woods (Jul 27)
- Re: CVS woes: .cvspass Delian Krustev (Jul 30)
- Re: CVS woes: .cvspass Valdis . Kletnieks (Jul 27)