[11579] in bugtraq
Re: midnight commander vulnerability(?)
daemon@ATHENA.MIT.EDU (Norbert Warmuth)
Sun Aug 29 04:03:57 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.3.96.990823081609.2410A-100000@floh.privat.circular.de>
Date: Wed, 25 Aug 1999 08:02:04 +0200
Reply-To: Norbert Warmuth <nwarmuth@privat.circular.de>
From: Norbert Warmuth <nwarmuth@PRIVAT.CIRCULAR.DE>
X-To: BUGTRAQ@SECURITYFOCUS.COM, Thomas Biege <thomas@SUSE.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.05.9908181236130.16496-100000@Galois.suse.de>
On Wed, 18 Aug 1999, Thomas Biege wrote:
> The current version (4.5.37) of mc, that is used by SuSE creates
> the history file mode 600 independently of the umask.
>
> Nevertheless, I think it's a very bad behavior to record account
> informations, because it could be used by a cracker to gain access
> to more sites.
> The authors of mc should disable recording these kind of stuff.
The authors of The Midnight Commander do have disabled recording
of passwords to ~/.mc/history.
Currently MC users can input passwords by three different means:
1. Password input dialogs: users are queried when a password is needed
in order to proceed. These passwords are hidden during input.
2. For conveniance sake users are allowed to embed passwords into urls,
e.g. to ftp to some host they can enter
`cd ftp://user:password@somehost' into the commandline. These
passwords are displayed in plain text during input because the
command line's first purpose is not to input passwords. You better
know what you are doing when you use this feature.
3. PASSWD environment variable.
Passwords entered by means of no. 1 haven't been stored to any file
since release 4.1.15, the first release with the new input line
history.
Since Februar (release 4.5.11) passwords entered by means of no. 2 have
been removed as soon as the complete input line is pushed onto the
history stack provided that MC is able to recognize the password.
Enter an URL with an embedded password into the command line, move
backward and forward (M-p, M-n) in the history once and you will see
that the password has gone.
Since the same time access rights of ~/.mc/history have been restricted
to the owner in case passwords are entered where we don't expect one
and where it isn't even remotly possible to detect it as a password,
e.g. passwords entered into the search dialog of the internal viewer.
No. 3 is only used by the new samba virtual file system which is still
under development and not build by default. Use of PASSWD is a known
deficiency and it isn't even documented. PASSWD will be supplemented by
password input dialogs during further development. No need to mention
that passwords fetched from PASSWD aren't recorded to any file either.
Regards,
Norbert
