[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] user name = user
- Subject: RE: [cobalt-security] user name = user
- From: "Malcolm Wild" <cobaltsec@xxxxxxxxxxx>
- Date: Mon, 23 Jul 2001 15:35:38 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
in a paranoid world your right you wouldn't want the user to have the
username publicly display anywhere but fixing this patch doesn't stop all
the other holes
e.g.
1 - the autoresponder on raqs has a from email address or
USERNAME@xxxxxxxxxxxxxx - yet just guess the password!
2 - what is the admin user account on every RaQ - err admin - no guessing
required
3 - if any users has shell access /etc/passwd is rw-r-r so they can read all
the usernames anyway
the only real fix is to ensure your clients use descent 8 charatcher
passwords and change them often.
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Kai Schantz,
Euroweb
Sent: 23 July 2001 14:58
To: Cobalt-Security@List. Cobalt. Com
Subject: [cobalt-security] user name = user
Hi,
One of our customer has made an user acount with the following data:
full name: user name
user name: user
email alias: user.name
I think this look a little rare and maybe there is some security
problem/holes with this?
Anybody now how to make this imposible for users to make acountnames like
this?
This was on a raq4r..
Kai Schantz
Euroweb AS
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security