[BusyBox 0001383]: login gives information on user existence
bugs at busybox.net
bugs at busybox.net
Thu Jun 7 07:39:57 PDT 2007
A NOTE has been added to this issue.
======================================================================
http://busybox.net/bugs/view.php?id=1383
======================================================================
Reported By: iggarpe
Assigned To: BusyBox
======================================================================
Project: BusyBox
Issue ID: 1383
Category: Security
Reproducibility: always
Severity: minor
Priority: normal
Status: assigned
======================================================================
Date Submitted: 06-07-2007 04:57 PDT
Last Modified: 06-07-2007 07:39 PDT
======================================================================
Summary: login gives information on user existence
Description:
If a non existing user is entered at the login prompt, it will return an
error, istead of asking for the password as the standard login does. This
gives information to a potential attacker about the existence of given
user in the system.
No big deal but certainly a security leak easily fixable.
======================================================================
----------------------------------------------------------------------
bernhardf - 06-07-07 07:39
----------------------------------------------------------------------
Something like the attached patch? Can you test this, please?
thanks in advance and cheers,
Issue History
Date Modified Username Field Change
======================================================================
06-07-07 04:57 iggarpe New Issue
06-07-07 04:57 iggarpe Status new => assigned
06-07-07 04:57 iggarpe Assigned To => BusyBox
06-07-07 07:39 bernhardf Note Added: 0002460
======================================================================
More information about the busybox-cvs
mailing list