No big deal but certainly a security leak easily fixable.
busybox-trunk.bug1383.00.diff [^] (10,349 bytes) 06-07-07 07:40 
| Anonymous | Login | Signup for a new account | 11-10-2008 11:16 PST |
| Main | My View | View Issues | Change Log | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
| 0001383 | [BusyBox] Security | minor | always | 06-07-07 04:57 | 06-15-07 03:37 | ||||
| Reporter | iggarpe | View Status | public | ||||||
| Assigned To | BusyBox | ||||||||
| Priority | normal | Resolution | fixed | ||||||
| Status | closed | Product Version | svn | ||||||
| Summary | 0001383: login gives information on user existence | ||||||||
| Description |
If a non existing user is entered at the login prompt, it will return an error, istead of asking for the password as the standard login does. This gives information to a potential attacker about the existence of given user in the system. No big deal but certainly a security leak easily fixable. |
||||||||
| Additional Information | |||||||||
| Attached Files |
busybox-trunk.bug1383.00.diff [^] (10,349 bytes) 06-07-07 07:40 |
||||||||
|
|
|||||||||
 Relationships |
|
|
Notes |
|
|
(0002460) bernhardf 06-07-07 07:39 |
Something like the attached patch? Can you test this, please? thanks in advance and cheers, |
|
(0002467) vda 06-08-07 08:32 |
Fixed in svn 18782. Thanks! |
|
(0002470) bernhardf 06-09-07 02:04 |
vda, why don't you reuse e.g. bb_msg_full_version instead of "aa"? Just curious.. |
|
(0002471) vda 06-09-07 15:55 |
bb_msg_full_version instead of "aa" will work, but it's much lee obvious that it is 100% safe. I mean, that no password ever will match bb_msg_full_version after crypt(). If you really want this, please replace "aa" with bb_msg_full_version + put a detailed comment why it is 100% safe (at bb_msg_full_version definition too). |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 06-07-07 04:57 | iggarpe | New Issue | |
| 06-07-07 04:57 | iggarpe | Status | new => assigned |
| 06-07-07 04:57 | iggarpe | Assigned To | => BusyBox |
| 06-07-07 07:39 | bernhardf | Note Added: 0002460 | |
| 06-07-07 07:40 | bernhardf | File Added: busybox-trunk.bug1383.00.diff | |
| 06-08-07 08:32 | vda | Status | assigned => closed |
| 06-08-07 08:32 | vda | Note Added: 0002467 | |
| 06-08-07 08:32 | vda | Resolution | open => fixed |
| 06-09-07 02:04 | bernhardf | Status | closed => feedback |
| 06-09-07 02:04 | bernhardf | Resolution | fixed => reopened |
| 06-09-07 02:04 | bernhardf | Note Added: 0002470 | |
| 06-09-07 15:55 | vda | Note Added: 0002471 | |
| 06-15-07 03:37 | bernhardf | Status | feedback => closed |
| 06-15-07 03:37 | bernhardf | Resolution | reopened => fixed |
| Copyright © 2000 - 2006 Mantis Group |  |
