> My real media server information: > > fmmarzoa@alexander:/usr/local/rserver/Bin > rmserver -version > Creating Server Space... > Starting RealServer 6.0 Core... > RealServer (c) 1995-1998 RealNetworks, Inc. All rights reserved. > Version: 6.0.3.353 > Platform: linux2 > > The fact is that through installation process it ask for a password that > itsn't hide neither when you write it, but worse is that this password is > stored in the file /usr/local/rmserver/rmserver.cfg in plain format and > this file have as default a 644 permision mask. > > Excuse if this security issue was adviced before and, by the way, my poor > english too. It gets worse... the G2 web admin facility uses forms to change/set passwords etc. (Some of) these changes are logged, in plaintext, in the world readable access logs for your lusers' reading pleasure... Here's a snippit: 10.1.1.1 - - [14/Mar/1999:11:23:32 +0000] "GET admin/auth.adduser.html?respage%3Dadduser_respage.ht ml%26name%3Devilhaxor%26pass%3Dfreekevin%26realm%3DbadwURLd HTTP/1.0" 200 2452 [UNKNOWN] [UNKNOWN] [UNKNOWN] 0 0 0 0 0 114 I reported this to Real, but have had the expected resonse... cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adamat_private UNITED KINGDOM PGP key on keyservers
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:42:43 PDT