riclem@yahoo.com
18/11/06, 14:37
From Debian.org:
"chetpasswd uses the HTTP_X_FORWARDED_FOR for authentication purposes(...). Obviously, HTTP_X_FORWARDED_FOR is not a trusted variable, and can be spoofed by any scriptkiddie who can read the man page of wget (...).
Furthermore, this cgi script doesn't seem to implement any rate limiting for the passwd checks, thereby allowing for a dictionary attack via http. Also, it seems to give different a error message if the user is not found then if the entered password is wrong, thereby exposing the names of user accounts to external attackers (...)."
The original message and others are available at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=394454
"chetpasswd uses the HTTP_X_FORWARDED_FOR for authentication purposes(...). Obviously, HTTP_X_FORWARDED_FOR is not a trusted variable, and can be spoofed by any scriptkiddie who can read the man page of wget (...).
Furthermore, this cgi script doesn't seem to implement any rate limiting for the passwd checks, thereby allowing for a dictionary attack via http. Also, it seems to give different a error message if the user is not found then if the entered password is wrong, thereby exposing the names of user accounts to external attackers (...)."
The original message and others are available at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=394454