[cvsnt] Possible security risk

Craig Graham craig at twolips-translations.co.uk
Fri Jun 13 07:48:22 BST 2003


Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


I've been successfully using a (recent) cvsnt for a couple of months now,
and have just started to use keyword substitution in text files.

Something I've noticed is that the author field in the text files is always
filled in as "Guest". I'm using SSPI to do the connection, and I have the
server set to use the Windows usernames and passwords, rather than having a
seperate passwd file.

When I first connect to the server to check out a project on a new machine,
I am prompted for a username and password, and have to supply details that
are valid on the server. I never log in as "guest". Subsequent updates and
commits using either WinCVS or Tortoise, even following a reboot of the
machine, do not require an explicit logon as long as I use the same
directory and the cvs subdirectory is not removed.

Is this behaviour normal, or do I have a misconfigured cvsnt server that
will allow malicious people easy access?

I've not dug out and included version numbers, since this seems to be a
general config issue.

--
Dr. Craig Graham, Software Engineer
Advanced Analysis and Integration Limited, UK. http://www.aail.co.uk/




More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook