[18127] in bugtraq
Re: J-Pilot Permissions Vulnerability
daemon@ATHENA.MIT.EDU (Christian)
Mon Dec 18 17:09:59 2000
Mail-Followup-To: Weston Pawlowski <bug@WESTON.CX>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20001216152623.A11911@diffie.it.murdoch.edu.au>
Date: Sat, 16 Dec 2000 15:26:23 +0800
Reply-To: Christian <christian@dijkstra.MURDOCH.EDU.AU>
From: Christian <christian@dijkstra.MURDOCH.EDU.AU>
X-To: Weston Pawlowski <bug@WESTON.CX>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20001214082122.19994.qmail@securityfocus.com>; from
bug@WESTON.CX on Thu, Dec 14, 2000 at 08:21:22AM -0000
On Thu, Dec 14, 2000 at 08:21:22AM -0000, Weston Pawlowski wrote:
> The good news is that it's probably not very
> common for someone to sync their PalmOS device on
> a system that many, if any, other people have
> shell access to. But, if this situation does
> happen, the vulnerable user is likely to be the
> owner of the machine (since he has to be local),
> and there's the possibility that he may keep a
> password list on his PalmOS device. In which case,
> any user could get the system admin's passwords,
> which obviously may include the system's root
> password.
The permissions probably should be stricter but hopefully
security-conscious Palm/JPilot users don't keep sensitive information
like passwords and PINs stored in plaintext on these devices. There are
numerous free applications like strip (for passwords) and CryptoPad (for
encrypted memos) which use strong encryption.
Regards,
Christian.
