Chetcpasswd 2.x: multiple vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Chetcpasswd 2.x: multiple vulnerabilities
From: riclem@xxxxxxxxx
Date: 13 Nov 2006 19:06:18 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

>From Debian.org:

"chetpasswd uses the HTTP_X_FORWARDED_FOR for authentication purposes(...). 
Obviously, HTTP_X_FORWARDED_FOR is not a trusted variable, and can be spoofed 
by any scriptkiddie who can read the man page of wget (...).

Furthermore, this cgi script doesn't seem to implement any rate limiting for 
the passwd checks, thereby  allowing for a dictionary attack via http.  Also, 
it seems to give different a error message if the user is not found then if the 
entered password is wrong, thereby exposing the names of user accounts to 
external attackers (...)."

The original message and others are available at 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=394454

Prev by Date: Bloo => 1.00 Remote File Include Vulnerability
Next by Date: Secunia Research: MDaemon Insecure Default Directory Permissions
Previous by thread: Bloo => 1.00 Remote File Include Vulnerability
Next by thread: Secunia Research: MDaemon Insecure Default Directory Permissions
Index(es):
- Date
- Thread