|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Pen testing a CVS server
From: Alexandre Carmel-Veilleux (saruman
northernhacking.org)
Date: Sun May 18 2003 - 14:20:26 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sun, May 18, 2003 at 07:17:09AM -0700, Bugsy wrote:
>
> Checking passwords
> cvs -d :pserver:roothost.domain.com:/wrong/cvs/root
> login
> Tells me if i got the root password right or not.
Hmm, I've never been in any environement where CVS didn't have it's
own, separate, password and group files. So this should not yield an actual
user passwords. Assuming the password is different then the system one.
I agree that the error messages should be terser in order to leak
less information, possibly with an n seconds timeout after an error.
Alex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (OpenBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE+x9z6d3IJjgj+EygRAlsxAJ41GhUL4UsMoA4f9+GWyiTznu1J+wCfeghS
yEFiX7/r8LW+3oJTWwEqpAY=
=WcTJ
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]