mc security exposure

From: George Toft <george georgetoft com>
To: mc gnome org
Subject: mc security exposure
Date: Sat, 09 Feb 2002 12:57:25 -0500

Symptom
Using the FTP feature of mc shows the password in the file transfer
screen.  See snippet below (sorry, the ASCII art didn't transfer well):

lqqqqqqqqqqqqqqqqqqqqqqqqqqq Copy qqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Copy 4 files with source mask:                             x
x *                                                      [^] x
x                                   [x] Using shell patterns x
x to:                                                        x
x /#ftp:mylogin:mypasswd georgetoft com/httpdocs/tautog  [^] x
x [ ] follow Links            [ ] Dive into subdir if exists x
x [x] preserve Attributes                [ ] Stable Symlinks x
x           [< Ok >]   [ Background ]   [ Cancel ]           x
x                                                            x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

(I edited my username and password for obvious reasons.)



Recommendation
I feel this is an exposure that need not exist.  If mc is
being used in a demonstration, or when people are around,
the initial logon can be shielded from view, but when transferring
many files, this is not practical.



MC Data
OS: Linux (SuSE 7.3)

mc -V:
The Midnight Commander 4.5.54
Edition: text mode
Virtual File System: tarfs, extfs, ftpfs, mcfs, undelfs
With builtin Editor
Using S-lang library with terminfo database
With subshell support: as default
with mouse support on xterm and the Linux console.
Using locale "en_US" (from environment variable LANG)


Regards,

George

Follow-Ups:
- Re: mc security exposure
  - From: Pavel Machek
- Re: mc security exposure
  - From: Pavel Roskin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]