[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Two new bugs on SF...

From: Eric Sorenson
Subject: Re: Two new bugs on SF...
Date: Thu, 28 Jul 2005 09:34:58 -0700 (PDT)

On Thu, 28 Jul 2005, Chip Seraphine wrote:

> Eric Sorenson wrote:
> > Mark has said before that this behavior is intentional, to avoid giving
> > specific error information to an attacker.
> Just curious-- if authentication has been established, why are we withholding
> useful error messages from the client?

Here's the message I was remembering:


        Cfservd never tells you specifically why something failed.  
        It's a "feature". But there should probably be an option to provide 
        specific messages to trusted hosts or something...

        More things for the future.

IIRC there's a generic path back up the stack from a failed stat and 
it throws the "Host auth failed" message along the way.

(Personally I agree with you: IMO the risk of an attacker gleaning 
something from a cfengine error message is massively overbalanced by 
the confusion that this causes for legitimate users.)

 - Eric Sorenson - N37 17.255 W121 55.738 - http://eric.explosive.net -
 - Personal colo with a professional touch - http://www.explosive.net -

reply via email to

[Prev in Thread] Current Thread [Next in Thread]