[BusyBox 0001383]: login gives information on user existence
bugs at busybox.net
bugs at busybox.net
Sat Jun 9 22:55:47 UTC 2007
A NOTE has been added to this issue.
======================================================================
http://busybox.net/bugs/view.php?id=1383
======================================================================
Reported By: iggarpe
Assigned To: BusyBox
======================================================================
Project: BusyBox
Issue ID: 1383
Category: Security
Reproducibility: always
Severity: minor
Priority: normal
Status: feedback
======================================================================
Date Submitted: 06-07-2007 04:57 PDT
Last Modified: 06-09-2007 15:55 PDT
======================================================================
Summary: login gives information on user existence
Description:
If a non existing user is entered at the login prompt, it will return an
error, istead of asking for the password as the standard login does. This
gives information to a potential attacker about the existence of given
user in the system.
No big deal but certainly a security leak easily fixable.
======================================================================
----------------------------------------------------------------------
bernhardf - 06-07-07 07:39
----------------------------------------------------------------------
Something like the attached patch? Can you test this, please?
thanks in advance and cheers,
----------------------------------------------------------------------
vda - 06-08-07 08:32
----------------------------------------------------------------------
Fixed in svn 18782. Thanks!
----------------------------------------------------------------------
bernhardf - 06-09-07 02:04
----------------------------------------------------------------------
vda, why don't you reuse e.g. bb_msg_full_version instead of "aa"?
Just curious..
----------------------------------------------------------------------
vda - 06-09-07 15:55
----------------------------------------------------------------------
bb_msg_full_version instead of "aa" will work, but it's much lee obvious
that it is 100% safe. I mean, that no password ever will match
bb_msg_full_version after crypt(). If you really want this, please replace
"aa" with bb_msg_full_version + put a detailed comment why it is 100% safe
(at bb_msg_full_version definition too).
Issue History
Date Modified Username Field Change
======================================================================
06-07-07 04:57 iggarpe New Issue
06-07-07 04:57 iggarpe Status new => assigned
06-07-07 04:57 iggarpe Assigned To => BusyBox
06-07-07 07:39 bernhardf Note Added: 0002460
06-07-07 07:40 bernhardf File Added: busybox-trunk.bug1383.00.diff
06-08-07 08:32 vda Status assigned => closed
06-08-07 08:32 vda Note Added: 0002467
06-08-07 08:32 vda Resolution open => fixed
06-09-07 02:04 bernhardf Status closed => feedback
06-09-07 02:04 bernhardf Resolution fixed => reopened
06-09-07 02:04 bernhardf Note Added: 0002470
06-09-07 15:55 vda Note Added: 0002471
======================================================================
More information about the busybox-cvs
mailing list