[dev] Re: [cvs] commit: passwd/config .cvsignore backends.php.dist conf.xml passwd/lib Driver.php Passwd.php base.php passwd/lib/Driver ldap.php sql.php passwd/templates/main main.inc passwd main.php

[Harry Hoffman]

Hi,
 Essentially this is no different from any server that provides a login service
for any network application. POP, IMAP, SSH, etc. can all be exploited by first
brute forcing the password than changing it. The only difference is that the
"hacker" is more likely to be noticed upon changing the password. It's no more a
security risk than any of these other types of services.

Thanks,
Harry



Quoting Eric Rostetter <eric.rostetter@physics.utexas.edu>:

*> Quoting Mike Cochrane <mike@graftonhall.co.nz>:
*> 
*> > Maybe designed wasnt' the best word... able to be a guest application...
*> 
*> Okay...
*> 
*> > Passwd, now, doesn't deal with the logged in user at all. This turns
*> passwd
*> > into a more generic password change module.
*> 
*> And, as a side effect, a module much easier to exploit by hackers to hack
*> passwords...
*> 
*> > It allows the changing of passwords that aren't used to login to Horde.
*> 
*> Okay...
*> 
*> > It wouldn't make sense to login to you mail account to change your shell
*> > password. So passwd now allows guests.
*> 
*> My objection is to making "guest => true" the default in the registry.php
*> file.  I think this makes the module much more of a security concern.
*> 
*> I don't object to the functionality, but I think we should have guest access
*> off by default, and make the system admin/installer set it to true if they
*> want to accept responsibility for the security concerns doing so raises.
*> That would also imply documenting any security concerns, even if only ever
*> so briefly, in the INSTALL or README file.
*> 
*> Anyone disagree with me?
*> 
*> > - Mike :-)
*> 
*> 
*> --
*> Eric Rostetter
*> The Department of Physics
*> The University of Texas at Austin
*> 
*> Why get even? Get odd!
*> 
*> --
*> Horde developers mailing list
*> Frequently Asked Questions: http://horde.org/faq/
*> To unsubscribe, mail: dev-unsubscribe@lists.horde.org


-- 
Harry Hoffman
ITSS Systems Team Leader
University of Auckland
hhoffman@auckland.ac.nz
hhoffman@ip-solutions.net
STANDARD DISCLAIMER:
**********************************************
*This universe shipped by weight, not volume.*
*Some expansion may have occured in shipping.*
*********************************************

-------------------------------------------------
Mail service provided by IpSolutions 
http://www.ip-solutions.net/