CVS woes: .cvspass

From: Chiaki (ishikawa_at_yk.rim.or.jp)
Date: 07/26/04

  • Next message: Joshua J. Berry: "[ GLSA 200407-20 ] Subversion: Vulnerability in mod_authz_svn" 
    Date: Tue, 27 Jul 2004 03:00:52 +0900
To: bugtraq@securityfocus.com

    The file revision control system, CVS,
    stores often used server's password in
    users .cvspass file. (When we use pserver mode to set up a
    central repository and access it from remote workstations,
    that is.)

    The password is "lightly scramblled" for accidental disclosure
    to casual reader, but descrambling it is rather easy.

    Several days ago, I needed to recall the CVS password, but
    I found myself not recalling it since I relied on the automatic
    login by using the password in .cvspass too much.
    So I used the easy descrambling from my own .cvspass file
    under my home directory to recover the password.
    (The same password is used to crypt
    a PDF file by my fellow worker. He remebers the password. A good thing.)

    However, as I recover the password from .cvspass, I found
    one troubling situation.
    When I tried to find how to descramble the lightly
    scrambled password in .cvspass using Google
    (and this was before I check the CVS source file which
    I eventually did and solved my ordeal.)
    I found MANY HITs of people's .cvspass files on the web.
    Theyt contain lightly scramblled passwords.

    Granted that many of these files under user home directories
    visible on the web
    must be the password to be used by anonymous server or
    publicly usable CVS server, but I doubt if ALL of them
    are the result of such benign neglect.

    Is it likely that some .cvspass visible on the web using
    Google search may contain some valuable password to
    a reasonably important server? I think the chances are high. UGH.

    This probably has been a common knowledge among the blackhat community.

    The weak password problem has been discussed often (see the
    relevant two hits from the .cvspass search in google.), but
    having the file published in web and being reported in Google
    is something I didn't expect to see happening.
    No difficult efforts need to be spent to collect .cvspass files.

    URL: Discussions about cvspass. Found in the first page of
    google search for ".cvspass".

    http://www.derkeiler.com/Mailing-Lists/securityfocus/pen-test/2003-05/0073.html

    http://www.contactor.se/~dast/svn/archive-2003-01/0851.shtml 

    -- 
int main(void){int j=2003;/*(c)2003 cishikawa. */
char t[] ="<CI> @abcdefghijklmnopqrstuvwxyz.,\n\"";
char *i ="g>qtCIuqivb,gCwe\np@.ietCIuqi\"tqkvv is>dnamz";
while(*i)((j+=strchr(t,*i++)-(int)t),(j%=sizeof t-1),
(putchar(t[j])));return 0;}/* under GPL */
  • Next message: Joshua J. Berry: "[ GLSA 200407-20 ] Subversion: Vulnerability in mod_authz_svn"