Re: [SECURITY] [DSA 1517-1] New ldapscripts packages fix information disclosure

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1517-1] New ldapscripts packages fix information disclosure
From: Harrie <harrie@descent.nl>
Date: Sat, 22 Mar 2008 10:20:51 +0100
Message-id: <[🔎] 47E4CF73.1080401@descent.nl>
In-reply-to: <20080315221622.6E64432687F@morgana.loeki.tv>
References: <20080315221622.6E64432687F@morgana.loeki.tv>

Thijs Kinkhorst wrote:

Don Armstrong discovered that ldapscripts, a suite of tools to manipulate
user accounts in LDAP, sends the password as a command line argument when
calling LDAP programs, which may allow a local attacker to read this password
from the process listing.

"BOFH" discovered that Allset's backup scripts, a collection of roughlywritten en not tested scripts for backup purposes, sends the password asa command line argument when doing it's backup, which may allow a localattacker to read this password from the process listing.


As this script uses root to login (?!?), this is effectively a root exploit!

Oh fsck! Wanneer denken mensen eens een keertje na?!

--
Groetjes
Harrie

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 1517-1] New ldapscripts packages fix information disclosure
  - From: Harrie <harrie@descent.nl>

Prev by Date: AUTO: Janek Lünstedt ist außer Haus (Rückkehr am 11.04.2008)
Next by Date: Re: [SECURITY] [DSA 1517-1] New ldapscripts packages fix information disclosure
Previous by thread: AUTO: Janek Lünstedt ist außer Haus (Rückkehr am 11.04.2008)
Next by thread: Re: [SECURITY] [DSA 1517-1] New ldapscripts packages fix information disclosure
Index(es):
- Date
- Thread