Re: Pen testing a CVS server

From: Alexandre Carmel-Veilleux (saruman@northernhacking.org)
Date: Sun May 18 2003 - 15:20:26 EDT

• Next message: Royans Tharakan: "RE: Pen testing a CVS server"
• Previous message: Bugsy: "Pen testing a CVS server"
• In reply to: Bugsy: "Pen testing a CVS server"
• Next in thread: Lluis Mora: "RE: Pen testing a CVS server"
• Reply: Lluis Mora: "RE: Pen testing a CVS server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Sun, May 18, 2003 at 07:17:09AM -0700, Bugsy wrote:
>
> Checking passwords
> cvs -d :pserver:root@host.domain.com:/wrong/cvs/root
> login
> Tells me if i got the root password right or not.

        Hmm, I've never been in any environement where CVS didn't have it's
own, separate, password and group files. So this should not yield an actual
user passwords. Assuming the password is different then the system one.

        I agree that the error messages should be terser in order to leak
less information, possibly with an n seconds timeout after an error.

Alex

• application/pgp-signature attachment: stored

• Next message: Royans Tharakan: "RE: Pen testing a CVS server"
• Previous message: Bugsy: "Pen testing a CVS server"
• In reply to: Bugsy: "Pen testing a CVS server"
• Next in thread: Lluis Mora: "RE: Pen testing a CVS server"
• Reply: Lluis Mora: "RE: Pen testing a CVS server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:33 EDT