Bugtraq mailing list archives

Re: Xitami Webserver stores admin password in clear text.

From: Bernd Luevelsmeyer <bdluevel () heitec net>
Date: Thu, 29 Nov 2001 05:06:00 +0100

Larry W. Cashdollar wrote:


I am releasing this a bit early as the vendor has been aware of this issue
for a while now.

[...]

The webserver administrator password is stored clear-text in a world
readable file.  A local user can use the webserver admin password to gain
control of (by default) root owned xitami process.  The server can then be
reconfigured by the malicious user (locally unless configured to allow
remote administration) to read sensitive system files and execute commands
as root.

[...]


On FreeBSD, the Xitami port installs in a way that Xitami has only
its default configuration and will not run automatically; the user
has to complete the installation manually. The intention being, of
course, that he/she will configure the program first, including the
security matters.
You are right, however, if that's not done but Xitami is simply
started, then it is insecure. I'll add a more descriptive warning to
the port.

Current thread:

Xitami Webserver stores admin password in clear text. Larry W. Cashdollar (Nov 26)
- Re: Xitami Webserver stores admin password in clear text. Tom Micklovitch (Nov 28)
  - Re: Xitami Webserver stores admin password in clear text. Larry W. Cashdollar (Nov 28)
- Re: Xitami Webserver stores admin password in clear text. Bernd Luevelsmeyer (Nov 28)