|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Stijn Hoop (stijn_at_win.tue.nl)
Date: Tue Jan 21 2003 - 09:38:56 CST
On Wed, Jan 22, 2003 at 12:34:20AM +0900, Tod McQuillin wrote:
> On Tue, 21 Jan 2003, Stijn Hoop wrote:
> > The advisory claims that 'This does not apply to :pserver: method only',
> > but what other method exists where you don't have to have a shell account?
> > In other words, I have a CVS server where people use :ext: with
> > CVS_RSH=ssh. How can one compromise this setup without compromising SSH?
>
> Even though there is a shell account, maybe the shell is set to cvs
> itself. If so, normally you can't run anything but cvs but if you can
> exploit it then you can get a shell on the cvs server.
OK, thanks for explaining, I didn't think of that possibility.
Fortunately I only have trusted local users.
--Stijn
-- What would this sentence be like if it weren't self-referential?
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+LWmQY3r/tLQmfWcRAk1JAJ9QAyYT1XLfhOToWdqVfb2MY7alUQCfR/W8 5eCO2lbOqY2xhl9lcrmZu4w= =1BGK -----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo
FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]