Thijs Kinkhorst wrote:
Don Armstrong discovered that ldapscripts, a suite of tools to manipulate user accounts in LDAP, sends the password as a command line argument when calling LDAP programs, which may allow a local attacker to read this password from the process listing.
"BOFH" discovered that Allset's backup scripts, a collection of roughly written en not tested scripts for backup purposes, sends the password as a command line argument when doing it's backup, which may allow a local attacker to read this password from the process listing.
As this script uses root to login (?!?), this is effectively a root exploit! Oh fsck! Wanneer denken mensen eens een keertje na?! -- Groetjes Harrie