174837 – CVE-2005-3630 use of IFRAME exposes password from adm.conf for users

Bug 174837 - CVE-2005-3630 use of IFRAME exposes password from adm.conf for users

Summary: CVE-2005-3630 use of IFRAME exposes password from adm.conf for users

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	389
Classification:	Retired
Component:	UI - General UI
Sub Component:
Version:	1.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Rich Megginson
QA Contact:	Viktor Ashirov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	152373 240316
TreeView+	depends on / blocked

Reported:	2005-12-02 17:14 UTC by Frank Reppin
Modified:	2015-12-07 16:46 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-12-07 16:46:48 UTC
Embargoed:

Attachments	(Terms of Use)
list of files for fix (82 bytes, text/plain) 2005-12-07 19:37 UTC, Rich Megginson	no flags	Details
diffs for fix (4.78 KB, text/plain) 2005-12-07 19:39 UTC, Rich Megginson	no flags	Details
View All

Description Frank Reppin 2005-12-02 17:14:50 UTC

Description of problem:

Please see attached 'step-by-step' guide to
reproduce what I've discovered.

Version-Release number of selected component (if applicable):

Name        : fedora-ds
Version     : 1.0
Release     : 2.Linux
Build Date:   Tue 29 Nov 2005 11:38:37 PM CET

Additional info:

informed 'secalert' as well

Comment 2 Rich Megginson 2005-12-07 16:04:29 UTC

A patch file has been created to fix the flaw.  See
http://directory.fedora.redhat.com/wiki/FDS10Announcement for information about
how to download the patch and how to apply it to the FDS 1.0 installation.

Comment 3 Rich Megginson 2005-12-07 19:37:54 UTC

Created attachment 121993 [details]
list of files for fix

Comment 4 Rich Megginson 2005-12-07 19:39:02 UTC

Created attachment 121994 [details]
diffs for fix

Comment 5 Rich Megginson 2005-12-07 20:51:46 UTC

Checking in adminserver/admserv/cfgstuff/admserv.conf;
/cvs/dirsec/adminserver/admserv/cfgstuff/admserv.conf,v  <--  admserv.conf
new revision: 1.12; previous revision: 1.11
done
Checking in adminserver/admserv/cfgstuff/httpd.conf;
/cvs/dirsec/adminserver/admserv/cfgstuff/httpd.conf,v  <--  httpd.conf
new revision: 1.7; previous revision: 1.6
done

Comment 6 Mark J. Cox 2005-12-12 10:26:51 UTC

Making public as wiki page contains a link to this bug.

Comment 7 Michael Gregg 2007-11-15 23:41:29 UTC

verified aginst:
1193765112 idm-console-framework-1.1.0-5.el5idm Tue Oct 30 2007 
1193765112 redhat-idm-console-1.0.0-13.el5idm Tue Oct 30 2007 
1194380792 tftp-0.42-3.1 Tue Nov 06 2007 
1195006662 subversion-1.4.2-2.el5 Tue Nov 13 2007 
1195169113 redhat-ds-base-8.0.0-11.el5dsrv Thu Nov 15 2007 
1195169115 redhat-ds-admin-8.0.0-1.15.el5dsrv Thu Nov 15 2007 
1195169117 redhat-ds-console-8.0.0-8.el5dsrv Thu Nov 15 2007 
1195169118 redhat-admin-console-8.0.0-9.el5dsrv Thu Nov 15 2007

Note You need to log in before you can comment on or make changes to this bug.