Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: midnight commander vulnerability(?)

From: nwarmuth () PRIVAT CIRCULAR DE (Norbert Warmuth)
Date: Wed, 25 Aug 1999 08:02:04 +0200

On Wed, 18 Aug 1999, Thomas Biege wrote:

The current version (4.5.37) of mc, that is used by SuSE creates
the history file mode 600 independently of the umask.

Nevertheless, I think it's a very bad behavior to record account
informations, because it could be used by a cracker to gain access
to more sites.
The authors of mc should disable recording these kind of stuff.


The authors of The Midnight Commander do have disabled recording
of passwords to ~/.mc/history.

Currently MC users can input passwords by three different means:
1. Password input dialogs: users are queried when a password is needed
   in order to proceed. These passwords are hidden during input.
2. For conveniance sake users are allowed to embed passwords into urls,
   e.g. to ftp to some host they can enter
   `cd <A HREF="ftp://user:`cd <A HREF="ftp://user:password@somehost'";>ftp://user:`cd ftp://user:password@somehost&apos; 
into the commandline. These
   passwords are displayed in plain text during input because the
   command line's first purpose is not to input passwords. You better
   know what you are doing when you use this feature.
3. PASSWD environment variable.

Passwords entered by means of no. 1 haven't been stored to any file
since release 4.1.15, the first release with the new input line
history.

Since Februar (release 4.5.11) passwords entered by means of no. 2 have
been removed as soon as the complete input line is pushed onto the
history stack provided that MC is able to recognize the password.
Enter an URL with an embedded password into the command line, move
backward and forward (M-p, M-n) in the history once and you will see
that the password has gone.

Since the same time access rights of ~/.mc/history have been restricted
to the owner in case passwords are entered where we don't expect one
and where it isn't even remotly possible to detect it as a password,
e.g. passwords entered into the search dialog of the internal viewer.

No. 3 is only used by the new samba virtual file system which is still
under development and not build by default. Use of PASSWD is a known
deficiency and it isn't even documented. PASSWD will be supplemented by
password input dialogs during further development. No need to mention
that passwords fetched from PASSWD aren't recorded to any file either.

Regards,
Norbert
Previous By Date Next
Previous By Thread Next

Current thread: