Penetration Testing mailing list archives
Re: Pen testing a CVS server
From: Alexandre Carmel-Veilleux <saruman () northernhacking org>
Date: Sun, 18 May 2003 15:20:26 -0400
On Sun, May 18, 2003 at 07:17:09AM -0700, Bugsy wrote:
Checking passwords cvs -d :pserver:root () host domain com:/wrong/cvs/root login Tells me if i got the root password right or not.
Hmm, I've never been in any environement where CVS didn't have it's own, separate, password and group files. So this should not yield an actual user passwords. Assuming the password is different then the system one. I agree that the error messages should be terser in order to leak less information, possibly with an n seconds timeout after an error. Alex
Attachment:
_bin
Description:
Current thread:
- Pen testing a CVS server Bugsy (May 18)
- Re: Pen testing a CVS server Alexandre Carmel-Veilleux (May 20)
- RE: Pen testing a CVS server Lluis Mora (May 20)
- <Possible follow-ups>
- RE: Pen testing a CVS server Royans Tharakan (May 20)
- Re: Pen testing a CVS server Alexandre Carmel-Veilleux (May 20)