Re: Pen testing a CVS server
From: Alexandre Carmel-Veilleux (saruman_at_northernhacking.org)
Date: 05/18/03
- Previous message: Bugsy: "Pen testing a CVS server"
- In reply to: Bugsy: "Pen testing a CVS server"
- Next in thread: Lluis Mora: "RE: Pen testing a CVS server"
- Reply: Lluis Mora: "RE: Pen testing a CVS server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 18 May 2003 15:20:26 -0400 To: Bugsy <bugsy9999@yahoo.com>
On Sun, May 18, 2003 at 07:17:09AM -0700, Bugsy wrote:
>
> Checking passwords
> cvs -d :pserver:root@host.domain.com:/wrong/cvs/root
> login
> Tells me if i got the root password right or not.
Hmm, I've never been in any environement where CVS didn't have it's
own, separate, password and group files. So this should not yield an actual
user passwords. Assuming the password is different then the system one.
I agree that the error messages should be terser in order to leak
less information, possibly with an n seconds timeout after an error.
Alex
- application/pgp-signature attachment: stored
- Previous message: Bugsy: "Pen testing a CVS server"
- In reply to: Bugsy: "Pen testing a CVS server"
- Next in thread: Lluis Mora: "RE: Pen testing a CVS server"
- Reply: Lluis Mora: "RE: Pen testing a CVS server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
