| VID |
23049 |
| Severity |
30 |
| Port |
2401 |
| Protocol |
TCP |
| Class |
CVS |
| Detailed Description |
The CVS pserver is accessible with a list of commonly used passwords and CVS repositories. CVS (Concurrent Versions System) is an open-source source code management and distribution system available for most Linux and Unix-based operating systems. This service starts as a daemon (cvspserver), typically listening on port 2401/tcp.
This check attempts to log into the remote public CVS pserver using combinations of commonly used accounts, passwords and directory paths, such as the followings:
Directories: "/cvsroot", "/cvs", "/cvsroot", "/u/cvs", "/home/ncvs", "/usr/local/cvs"
Accounts: "anonymous", "anoncvs", "anon", "cvsadm"
Passwords: "anon", "anoncvs", "cvsadm", ""
* Platforms Affected:
CVS (Concurrent Versions System) Any version
Linux Any version
UNIX Any version |
| Recommendation |
Disable CVS pserver if it is not needed. If the CVS daemon is started from inetd.conf, comment its entry by putting a # at the beginning of the line. If it is started from the rc script, comment it out as appropriate for your operating system.
-- OR --
If the CVS pserver is not required to be shared by the public, disable public CVS access (make sure it is properly configured with private passwords). |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
