passwords handling (was Re: troubles with Gosa)
Petter Reinholdtsen a écrit, le 24/03/2012 23:52:
The GOsa->Kerberos sync script is from debian-edu-config, see
/usr/share/debian-edu-config/tools/gosa-sync.
thanks, I noticed $USERPASSWD was not quoted in this file, and neither
in /etc/gosa/gosa.conf, and this very likely allows users to run
exploits through their password string (on top of breaking passwords
containing spaces).
I sent a bug-report with patch to bugs.debian.org as advised in the
documentation.
I wonder if quotes could also be used to run exploits through the password ?
For the first user, there is also
/usr/share/debian-edu-config/tools/kerberos-kdc-init and
/usr/bin/ldap-debian-edu-install.
didn't have time to check those ones, and is less important as it is not
run by students.
regards,
-- Samuel Krempp
Reply to: