Re: midnight commander vulnerability(?)

From: Norbert Warmuth (nwarmuthat_private)
Date: Tue Aug 24 1999 - 23:02:04 PDT

Next message: Przemyslaw Frasunek: "FW: RE: fts_print() , find and other stuff ?"

Previous message: Stas Kisel: "Re: FreeBSD (and other BSDs?) local root explot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 18 Aug 1999, Thomas Biege wrote:
> The current version (4.5.37) of mc, that is used by SuSE creates
> the history file mode 600 independently of the umask.
>
> Nevertheless, I think it's a very bad behavior to record account
> informations, because it could be used by a cracker to gain access
> to more sites.
> The authors of mc should disable recording these kind of stuff.

The authors of The Midnight Commander do have disabled recording
of passwords to ~/.mc/history.

Currently MC users can input passwords by three different means:
1. Password input dialogs: users are queried when a password is needed
   in order to proceed. These passwords are hidden during input.
2. For conveniance sake users are allowed to embed passwords into urls,
   e.g. to ftp to some host they can enter
   `cd ftp://user:password@somehost' into the commandline. These
   passwords are displayed in plain text during input because the
   command line's first purpose is not to input passwords. You better
   know what you are doing when you use this feature.
3. PASSWD environment variable.

Passwords entered by means of no. 1 haven't been stored to any file
since release 4.1.15, the first release with the new input line
history.

Since Februar (release 4.5.11) passwords entered by means of no. 2 have
been removed as soon as the complete input line is pushed onto the
history stack provided that MC is able to recognize the password.
Enter an URL with an embedded password into the command line, move
backward and forward (M-p, M-n) in the history once and you will see
that the password has gone.

Since the same time access rights of ~/.mc/history have been restricted
to the owner in case passwords are entered where we don't expect one
and where it isn't even remotly possible to detect it as a password,
e.g. passwords entered into the search dialog of the internal viewer.

No. 3 is only used by the new samba virtual file system which is still
under development and not build by default. Use of PASSWD is a known
deficiency and it isn't even documented. PASSWD will be supplemented by
password input dialogs during further development. No need to mention
that passwords fetched from PASSWD aren't recorded to any file either.

Regards,
Norbert

Next message: Przemyslaw Frasunek: "FW: RE: fts_print() , find and other stuff ?"
Previous message: Stas Kisel: "Re: FreeBSD (and other BSDs?) local root explot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:25 PDT