Huge security problem with Breezy
Howard Coles Jr.
dhcolesj at gmail.com
Mon Mar 13 04:55:11 UTC 2006
On Sunday 12 March 2006 21:19, Mike Hudson wrote:
> I apologize if this is not the right forum for this issue, but I
> think it's pretty important -- Every Ubuntu user should be warned.
>
> http://www.ubuntuforums.org/showthread.php?t=143334
>
> Users have reported Breezy Kubuntu and Ubuntu both have this problem.
>
> Users report that the password they created when they installed
> Breezy Ubuntu/Kubuntu is in plain text in the file below:
> /var/log/installer/cdebconf/questions.dat
>
> The file is world readable, so anybody that could log in locally,
> remotely, or put executable script files on your Ubuntu/Kubuntu box
> could have read your password.
>
> Make sure to delete this file as soon as possible, and change your
> password.
>
> I imagine that this would only affect you if you installed from
> Breezy. If you installed from Hoary and upgraded to Breezy, you
> probably wouldn't have the problem.
Whoa! I'm glad someone caught this!! I found my extra user password in the
file! This bites. Why would this file be kept around, or why would it be
storing password prompt info at all, much less as clear text?!?
--
See Ya'
Howard Coles Jr.
John 3:16!
Christian Books On-Line http://risenbooks.com
http://home.comcast.net/~dhcolesj
More information about the kubuntu-users
mailing list