[cvsnt] SECURITY BUG IN PSERVER

River river at ptt.yu
Mon Aug 11 07:51:44 BST 2003


I posted this some time ago for version 2.0.4. Now I installed 2.1.1 and
still the same bug

If I set up repository with pserver authentication, by using admin file,
passwd file and create 2 users, one that is administrator (river), and one
that is user (ruser) .

Next I can log on to server with administrator login (river) and I add one
new user foo using cvs passwd -a foo

Next I log of , and then log again using normal user password (ruser).

If I try to add new user I got error that only admins can add users, but IF
I TRY TO DELETE USER USING

 cvs passwd -X foo

I WILL BE ABLE TO DO IT.

Can somebody please help about this. Maby I'm wrong with my configuration,
but if so, please help me.




More information about the cvsnt mailing list