Re: Real Media Server stores passwords in plain text

[llee () WESTNET COM (Lawrence S. Lee)]

Well, it doesn't get any better. For example...

1. Under the G2 server (IRIX 6 in my case) it turns out that the
administrator password is saved in plaintext in the user database (under the
rmserver install directory)... but the _encoder_ passwords are stored in
encrypted form!

2. While installing the G2 server I found that the install program wouldn't
work properly unless run as root... even though it didn't seem to modify any
files outside of the directory tree you're working under.

3. I believe the PNM port is 554, which I believe _requires_ (for no good
reason) you to run the G2 server as root (unless you change the port, which I
did to 5540).

4. ALL the files installed for G2 are set as readable by ALL users! massive
chmod'ing.

5. Seeing as how it was possible to use encrypted passwords for the encoder
user, I tried finagling the config file so that it would store the
administrator password using the "encrypted store." I tore my hair out until
I finally succumbed and called tech support, which firstly didn't really see
what the big problem was, and second replied, "well, it looks like what
you're doing should make sense... so I don't know why it's not working. We'll
take a look at it and let you know what we find."

No replies back from them since (which was to be expected). As someone else
mentioned... just sloppy programming practice.

larry

"Francisco M. Marzoa Alonso" wrote:

> The fact is that through installation process it ask for a password that
> itsn't hide neither when you write it, but worse is that this password is
> stored in the file /usr/local/rmserver/rmserver.cfg in plain format and
> this file have as default a 644 permision mask.