[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Report a bug relative ssh key exchange.

Hi all,

I am presenting, i'm an italian boy, 22 years old and i work in IT
tecnologies by about 2 years.

I have an enormous passion for computing in general.

I found a dangerous bug about ssh with key exchange.

The bug afflicting only some distributions, in particular that are
used as a web server.

If I create a directory ".ssh", for the user "www-data", in his home
that is usually, "/var/www/", i can log in the computer with: "ssh

This is a stupid bug, but it's very dangerous.

For my reasons, i entered into a site hosted above a debian, using
"Joomla amministration" (a famous CMS), adding my "ssh key" in the

Maybe someone had already found it, but say it another time it's not bad.

debian version:
Linux HostName 2.6.8-3-686-smp #1 SMP Tue Dec 5 23:17:50 UTC 2006 i686 GNU/Linux
ssh version:
OpenSSH_3.8.1p1 Debian-8.sarge.6, OpenSSL 0.9.7e 25 Oct 2004

Sorry for my bad english!!!


Alberto Bravi, from Italy;)


*Alberto Bravi*


E-mail: alberto.bravi@gmail.com

Skype: alberto.bravi

Le informazioni contenute in questa comunicazione e gli eventuali
documenti allegati hanno carattere confidenziale e sono ad uso
esclusivo del destinatario. Nel caso questa comunicazione Vi sia
pervenuta per errore , Vi informiamo che la sua diffusione e
riproduzione e' contraria alla legge e preghiamo di darci prontamente
avviso e di cancellare quanto ricevuto.

This e-mail message and any files transmitted with it contain
confidential information intended only for the person(s) to whom it is
addressed. If you are not the intended recipient, you are hereby
notified that any use or distribution of this e-mail is strictly
prohibited, please notify the sender and delete the original message.

Reply to: