Penetration Testing mailing list archives
Pen testing a CVS server
From: Bugsy <bugsy9999 () yahoo com>
Date: Sun, 18 May 2003 07:17:09 -0700 (PDT)
Hi, Im pentesting a server, which is running CVSpserver. I have gone through the CVS documentation and read other posts on securityfocus mailing lists. I am listing below what I have done so far, and would like to know if there is anything else that can be done with this. First, trying to login to the pserver with the command: cvs -d :pserver:root () host domain com:/wrong/cvs/root login yields the information, of whether the repository is correct or not. Enumerating this, I have found the correct repository. Enumerating usernames: cvs -d :pserver:luser () host domain com:/wrong/cvs/root login Tells me whether luser exists on the server or not. I get luser: no such user if its a non-existent username. Checking passwords cvs -d :pserver:root () host domain com:/wrong/cvs/root login Tells me if i got the root password right or not. Is there anything else that can be done. More specifically, is there some way to find out the version of the CVS server, without being able to login. Also, now that CVS server is that popular, shouldn't they build in basic security measures such as giving the same failure message whether the username, password or repository is wrong? -Bugsy __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com --------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-pen-test ----------------------------------------------------------------------------
Current thread:
- Pen testing a CVS server Bugsy (May 18)
- Re: Pen testing a CVS server Alexandre Carmel-Veilleux (May 20)
- RE: Pen testing a CVS server Lluis Mora (May 20)
- <Possible follow-ups>
- RE: Pen testing a CVS server Royans Tharakan (May 20)
- Re: Pen testing a CVS server Alexandre Carmel-Veilleux (May 20)