Status: Accepted
Owner: gunnarwo...@gmail.com
Labels: Security Component-Admin
New issue 1295 by gunnarwo...@gmail.com: Admin password generation uses
time and PID, allows attackers to brute-force it
http://code.google.com/p/cherokee/issues/detail?id=1295
CVE issue CVE-2011-2190 points out that the temporary admin password
generation function is seeded by the time and PID, which allows an attacker
to brute-force it. Yes, in production systems cherokee-admin should be
quite short-lived, but administrators can leave it running for long
periods, opening a window to this attack.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2190
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2190
An example attack has been posted to the RedHat bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2190
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev@lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev
Owner: gunnarwo...@gmail.com
Labels: Security Component-Admin
New issue 1295 by gunnarwo...@gmail.com: Admin password generation uses
time and PID, allows attackers to brute-force it
http://code.google.com/p/cherokee/issues/detail?id=1295
CVE issue CVE-2011-2190 points out that the temporary admin password
generation function is seeded by the time and PID, which allows an attacker
to brute-force it. Yes, in production systems cherokee-admin should be
quite short-lived, but administrators can leave it running for long
periods, opening a window to this attack.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2190
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2190
An example attack has been posted to the RedHat bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2190
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev@lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev