Re: Pen testing a CVS server

From: Alexandre Carmel-Veilleux (sarumanat_private)
Date: Sun May 18 2003 - 12:20:26 PDT

Next message: Royans Tharakan: "RE: Pen testing a CVS server"

Previous message: Michael Tsentsarevsky: "RE: HTTPS Web site testing"
In reply to: Bugsy: "Pen testing a CVS server"
Next in thread: Lluis Mora: "RE: Pen testing a CVS server"
Next in thread: Royans Tharakan: "RE: Pen testing a CVS server"
Reply: Lluis Mora: "RE: Pen testing a CVS server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, May 18, 2003 at 07:17:09AM -0700, Bugsy wrote:
> 
> Checking passwords
> cvs -d :pserver:rootat_private:/wrong/cvs/root
> login
> Tells me if i got the root password right or not.

	Hmm, I've never been in any environement where CVS didn't have it's
own, separate, password and group files. So this should not yield an actual
user passwords. Assuming the password is different then the system one.

	I agree that the error messages should be terser in order to leak
less information, possibly with an n seconds timeout after an error.

Alex

application/pgp-signature attachment: stored

Next message: Royans Tharakan: "RE: Pen testing a CVS server"
Previous message: Michael Tsentsarevsky: "RE: HTTPS Web site testing"
In reply to: Bugsy: "Pen testing a CVS server"
Next in thread: Lluis Mora: "RE: Pen testing a CVS server"
Next in thread: Royans Tharakan: "RE: Pen testing a CVS server"
Reply: Lluis Mora: "RE: Pen testing a CVS server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 20 2003 - 08:47:46 PDT