[Savannah-hackers] Security risk -- somebody goofed up

[Kim F. Storm]

I found this in the savannah-hackers archive:

He obviously goofed up big time!!!


> Hello savannah-hackers,
> 
> Monday, May 24, 2004, 5:34:46 AM, you wrote:
> 
> shgo> Someone (presumably you) on the savannah.gnu.org site requested a 
> password change through email verification.If this was not you, this could 
> pose 
> a security risk for the system.
> 
> shgo> The request came from 63.241.219.202
> shgo> (IP: 63.241.219.202 port: 41783)nwith Mozilla/5.0 (X11; U; Linux i686; 
> en-US; rv:1.4.1) Gecko/20031114
> 
> shgo> If you requested this verification, visit the same URL
> shgo>  to change your password:
> 
> shgo> 
> https://savannah.gnu.org//account/lostlogin.php?confirm_hash=XXXXXXXXXXXXXXXXXXXXXXXXXX
> 

And he included the actual hash -- so everybody is free to steal his account 
now.

> 
> shgo> If you did not request this verification, please visit this URL to 
> report 
> about it to address@hidden
> 
> shgo> In any case make sure that you do not disclose this url to
> shgo>  sombody else, e.g. do not mail this to a public mailinglist!
> 
> shgo>  -- the Savannah team.
> 
> 
> shgo> _______________________________________________
> shgo>   Message sent via/by Savannah
> shgo>   http://savannah.gnu.org/
> 
> 
> Not from here. Boot their sorry arses into oblivion!
> 
> Our  SysAdmin  has  been informed too - he ain't always nice
> but he is always right. You have been advised ;O)
> 
> -- 
> Best regards,
>  Ian                            address@hidden">mailto:address@hidden


But your instructions are not very clear on this point -- it should
say in BIG LETTERS not to include the hash in the mail to
savannah-hackers...

-- 
Kim F. Storm <address@hidden> http://www.cua.dk