Your message dated Mon, 25 Dec 2006 18:26:19 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Has been removed
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Subject: uses HTTP_X_FORWARDED_FOR for authentication (and other security holes)
Package: chetcpasswd
Version: 2.3.3-1
Severity: critical
Tags: security
chetpasswd uses the HTTP_X_FORWARDED_FOR for authentication purposes:
if(getenv("HTTP_X_FORWARDED_FOR"))
sprintf(IP,"%s",getenv("HTTP_X_FORWARDED_FOR"));
else sprintf(IP,"%s",getenv("REMOTE_ADDR"));
and then goes on to check IP against
/etc/chetcpasswd/chetcpasswd.allow.
Obviously, HTTP_X_FORWARDED_FOR is not a trusted variable, and can be
spoofed by any scriptkiddie who can read the man page of wget. Simply
spoofing it to 127.0.0.1 will give access to the password changing app
from any remote host.
Furthermore, this cgi script doesn't seem to implement any rate
limiting for the passwd checks, thereby allowing for a dictionary
attack via http. Also, it seems to give different a error message if
the user is not found then if the entered password is wrong, thereby
exposing the names of user accounts to external attackers.
There are also issues with the package not using pam, and its
circumventing of any checks the admin might have in place.
I really think this package needs a security audit.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.17.8
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
--- End Message ---
--- Begin Message ---
chetcpasswd has been removed from the archive; closing the open bugs.
--- End Message ---
