Bugtraq mailing list archives
Re: Xitami Webserver stores admin password in clear text.
From: "Larry W. Cashdollar" <lwc () vapid dhs org>
Date: Wed, 28 Nov 2001 09:52:42 -0500 (EST)
On Tue, 27 Nov 2001, Tom Micklovitch wrote:
This is a known issue, and certainly on windows versions on Xitami, you actually have to create the file defaults.aut yourself, as in, actually type in it's contents.
I know it is, its in the FAQ mentioned on the xitami website and referenced in my advisory, that is why I released a little early.
But you are correct - it would be nice if it was encoded somehow. A more worrying issue is the fact that defaults.aut is world readable AND writable, hence if you have shared the drive it's on, anyone on the local network can simply replace it with their password.
I only tested on Linux, and in my installation defaults.aut was world readable but not world writeable. I did notice that the development version 2.5b5 that the default.aut file was group writeable as well. -- Larry
Current thread:
- Xitami Webserver stores admin password in clear text. Larry W. Cashdollar (Nov 26)
- Re: Xitami Webserver stores admin password in clear text. Tom Micklovitch (Nov 28)
- Re: Xitami Webserver stores admin password in clear text. Larry W. Cashdollar (Nov 28)
- Re: Xitami Webserver stores admin password in clear text. Bernd Luevelsmeyer (Nov 28)
- Re: Xitami Webserver stores admin password in clear text. Tom Micklovitch (Nov 28)