Bugtraq mailing list archives
Re: Xitami Webserver stores admin password in clear text.
From: Bernd Luevelsmeyer <bdluevel () heitec net>
Date: Thu, 29 Nov 2001 05:06:00 +0100
Larry W. Cashdollar wrote:
I am releasing this a bit early as the vendor has been aware of this issue for a while now.
[...]
The webserver administrator password is stored clear-text in a world readable file. A local user can use the webserver admin password to gain control of (by default) root owned xitami process. The server can then be reconfigured by the malicious user (locally unless configured to allow remote administration) to read sensitive system files and execute commands as root.
[...] On FreeBSD, the Xitami port installs in a way that Xitami has only its default configuration and will not run automatically; the user has to complete the installation manually. The intention being, of course, that he/she will configure the program first, including the security matters. You are right, however, if that's not done but Xitami is simply started, then it is insecure. I'll add a more descriptive warning to the port.
Current thread:
- Xitami Webserver stores admin password in clear text. Larry W. Cashdollar (Nov 26)
- Re: Xitami Webserver stores admin password in clear text. Tom Micklovitch (Nov 28)
- Re: Xitami Webserver stores admin password in clear text. Larry W. Cashdollar (Nov 28)
- Re: Xitami Webserver stores admin password in clear text. Bernd Luevelsmeyer (Nov 28)
- Re: Xitami Webserver stores admin password in clear text. Tom Micklovitch (Nov 28)