Well, that's no leak, because everybody already knows that in every webserver "foo" is used as a password somewhere by somebody. ;-)
You do have a point, even if it's not a terribly efficient way to perform a dictionary attack.
/ Niels Möller ()
Previous text:
2003-01-30 15:58: Subject: Re: OpenSSL wrapper vs Pike's SSL (Was: Bz2)
No, I don't consider information "leaks" within a process to be a security problem (unless you use the pike security system).
They are not within the process if they are printed to a publicly avaiable channel. Take for example a webserver, which uses sprintf("%O") to print forms variables back to the requester. Safe enough. But when someone requests page.html?blurk=foo he gets back "blurk=CENSORED". Now the webserver has inadvertedly and unnecessarily informed the external person that it considers "foo" to be a secret (obvisouly for a completely different reason than that it was sent to it in a forms variable, presumably it's used as some kind of password or key).
And write("foo") would not be affected, only write("%O", "foo");
So?
/ Marcus Comstedt (ACROSS) (Hail Ilpalazzo!)