Bug 174837

Summary: CVE-2005-3630 use of IFRAME exposes password from adm.conf for users
Product: [Retired] 389 Reporter: Frank Reppin <frank>
Component: UI - General UIAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0CC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 16:46:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 152373, 240316    
Attachments:
Description Flags
list of files for fix
none
diffs for fix none

Description Frank Reppin 2005-12-02 17:14:50 UTC
Description of problem:

Please see attached 'step-by-step' guide to
reproduce what I've discovered.

Version-Release number of selected component (if applicable):

Name        : fedora-ds
Version     : 1.0
Release     : 2.Linux
Build Date:   Tue 29 Nov 2005 11:38:37 PM CET

Additional info:

informed 'secalert' as well

Comment 2 Rich Megginson 2005-12-07 16:04:29 UTC
A patch file has been created to fix the flaw.  See
http://directory.fedora.redhat.com/wiki/FDS10Announcement for information about
how to download the patch and how to apply it to the FDS 1.0 installation.

Comment 3 Rich Megginson 2005-12-07 19:37:54 UTC
Created attachment 121993 [details]
list of files for fix

Comment 4 Rich Megginson 2005-12-07 19:39:02 UTC
Created attachment 121994 [details]
diffs for fix

Comment 5 Rich Megginson 2005-12-07 20:51:46 UTC
Checking in adminserver/admserv/cfgstuff/admserv.conf;
/cvs/dirsec/adminserver/admserv/cfgstuff/admserv.conf,v  <--  admserv.conf
new revision: 1.12; previous revision: 1.11
done
Checking in adminserver/admserv/cfgstuff/httpd.conf;
/cvs/dirsec/adminserver/admserv/cfgstuff/httpd.conf,v  <--  httpd.conf
new revision: 1.7; previous revision: 1.6
done


Comment 6 Mark J. Cox 2005-12-12 10:26:51 UTC
Making public as wiki page contains a link to this bug.

Comment 7 Michael Gregg 2007-11-15 23:41:29 UTC
verified aginst:
1193765112 idm-console-framework-1.1.0-5.el5idm Tue Oct 30 2007 
1193765112 redhat-idm-console-1.0.0-13.el5idm Tue Oct 30 2007 
1194380792 tftp-0.42-3.1 Tue Nov 06 2007 
1195006662 subversion-1.4.2-2.el5 Tue Nov 13 2007 
1195169113 redhat-ds-base-8.0.0-11.el5dsrv Thu Nov 15 2007 
1195169115 redhat-ds-admin-8.0.0-1.15.el5dsrv Thu Nov 15 2007 
1195169117 redhat-ds-console-8.0.0-8.el5dsrv Thu Nov 15 2007 
1195169118 redhat-admin-console-8.0.0-9.el5dsrv Thu Nov 15 2007