savannah-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-hackers] Re: savannah account

From: Mathieu Roy
Subject: [Savannah-hackers] Re: savannah account
Date: 24 Aug 2002 21:47:29 +0200
User-agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 
address@hidden (Thomas Bushnell, BSG) said:

> Mathieu Roy <address@hidden> writes:
> 
> > I do not get the point. Not so strange, I'm not author of the
> > registration procedure.
> > I you've found a security hole, please submit a bug report with
> > details or, why not, send us a patch.
> 
> Anyone who can sniff the outgoing traffic from savannah can steal the
> password of anyone they like by listening for the email message with
> the magic hash key and following the link.
> 
> Anyone who can figure out the hash function can steal the password of
> anyone they like even if they can't sniff on the email message.  Since
> any user can generate hash samples at will, it's surely not too hard
> to do this.

And have any proposal to fix this?

(PS: You previously said that savannah is a crappy sourceforge copy. Most of 
the security holes, such as this one, cames directly from original sourceforge 
code)

Regards,


-- 
Mathieu Roy
 
 << Profile  << http://savannah.gnu.org/users/yeupou <<
 >> Homepage >> http://yeupou.coleumes.org           >>
 << GPG Key  << http://gpg.coleumes.org              <<
reply via email to
[Prev in Thread] Current Thread [Next in Thread]