misc/69596: When logging in or su'ing to root, I noticed that if
you type the correct password but add characters to the end of the
correct password, the password still passes validation and allows
you to login
Timothy Radigan
tradigan at newrevolutions.net
Sun Jul 25 16:10:16 PDT 2004
>Number: 69596
>Category: misc
>Synopsis: When logging in or su'ing to root, I noticed that if you type the correct password but add characters to the end of the correct password, the password still passes validation and allows you to login
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Jul 25 23:10:15 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Timothy Radigan
>Release: 5.1
>Organization:
New Revolutions
>Environment:
FreeBSD nr-fbsd-01.newrevolutions.net 5.1-RELEASE-p16 FreeBSD 5.1-RELEASE-p16 #2: Sat May 15 14:35:21 EDT 2004 radigan at nr-fbsd-01.newrevolutions.net:/usr/obj/usr/src/sus/nr-fbsd-01 i386
>Description:
When logging into my FreeBSD server, I logged on as my regular user and typed the password correctly but added a few extra characters after I entered my password. Suprisingly, the machine let me in. I tried to log in with a completely wrong password and it denied access. This problem also occurs when su'ing to root. I type su, then type the password (correctly) and add extra characters on the end and it granted me root access.
>How-To-Repeat:
Log in using an account, type the correct password and a few extra characters after the correct password and try to log in. You will be validated and access is granted.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list