[11442] in bugtraq
Re: midnight commander vulnerability(?)
daemon@ATHENA.MIT.EDU (Thomas Biege)
Fri Aug 20 19:37:35 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.05.9908181236130.16496-100000@Galois.suse.de>
Date: Wed, 18 Aug 1999 12:48:05 +0200
Reply-To: Thomas Biege <thomas@SUSE.DE>
From: Thomas Biege <thomas@SUSE.DE>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <37BA8B6B.EEB272BE@muenster.net>
Hi,
> privileges of $HOME/.mc/ are default rwx-rx--rx-
> if anyone has used built in mc ftp-client and has put link like:
> password:user@some.host, in file
> history in foledr $HOME/.mc/ is stored in a key in '[inp FTP to machine
> ]'
> tree.
The current version (4.5.37) of mc, that is used by SuSE creates
the history file mode 600 independently of the umask.
Nevertheless, I think it's a very bad behavior to record account
informations, because it could be used by a cracker to gain access
to more sites.
The authors of mc should disable recording these kind of stuff.
Bye,
Thomas
--
Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: thomas@suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka"
Key fingerprint = E3 42 DA D1 3B 9C 23 D0 93 1F B8 2E 6B 9A 45 82
