Security hole.
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
Security hole.
by Suresh Sundriyal-2
::
Rate this Message:
While subscribing for indications, Openwsman sets the Destination property in the indicationHandler
with the username/password. If someone were to enumerate the CIMIndicationHandlerCIMXML class he will be presented with the password for all the users subscribed for indications. This is done by the following line in sfcc-interface.c: snprintf(serverpath, 128, "http://%s:%s@localhost:%s%s", client->username, client->password, get_server_port(), servicepath); Seems like this should be changed to: snprintf(serverpath, 128, "http://localhost:%s%s", get_server_port(), servicepath); Although, it might lead to problems if unencrypted communication is not enabled between the CIMOM and Openwsman but since I don't have such a setup, I wasn't able to confirm it. For my setup the above fix works fine. -- Regards, Suresh ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Openwsman-devel mailing list Openwsman-devel@... https://lists.sourceforge.net/lists/listinfo/openwsman-devel |
|
|
Re: Security hole.
by Klaus Kaempf
::
Rate this Message:
* Suresh Sundriyal <ssundriy@...> [Oct 13. 2009 10:33]:
> While subscribing for indications, Openwsman sets the Destination property in the indicationHandler > with the username/password. If someone were to enumerate the CIMIndicationHandlerCIMXML class > he will be presented with the password for all the users subscribed for indications. [...] > > Seems like this should be changed to: > > snprintf(serverpath, 128, "http://localhost:%s%s", get_server_port(), servicepath); Applied as svn rev 3293. Thanks for the fix ! Klaus --- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Openwsman-devel mailing list Openwsman-devel@... https://lists.sourceforge.net/lists/listinfo/openwsman-devel |
| Free embeddable forum powered by Nabble | Forum Help |
