[Spacewalk-list] Insecure passwords
Miroslav Suchy
msuchy at redhat.com
Tue Apr 12 21:55:14 UTC 2011
Dne 12.4.2011 22:44, Trevor T Kates napsal(a):
> File "/usr/lib/python2.4/site-packages/<CENSORED!>/server/apacheRequest.py", line 119, in call_function
Guys,
when Spacewalk generate traceback, it do its best to not put into log
your password - I mean DB password. So all instances of DB password is
replaced with:
<CENSORED!>
but if your password is some common text, eg. spacewalk (or usr, or lib,
or python), this logic also replace these common strings as well.
But it is very easy to guess what was there originally. Which means,
that is very easy to guess your password.
And especially when you have you hostname present in your traceback,
this is very close to invitation "please try to log in to my db".
Be careful.
Miroslav Suchy
More information about the Spacewalk-list
mailing list