Re: Real Media Server stores passwords in plain text

From: Doug Monroe (monwelat_private)
Date: Mon Apr 19 1999 - 17:37:49 PDT

Next message: Adam Brown: "AOL Instant Messenger URL Crash"

Previous message: aleph1at_private: "Security Bulletins Digest"
Maybe in reply to: Francisco M. Marzoa Alonso: "Real Media Server stores passwords in plain text"
Next in thread: Lawrence S. Lee: "Re: Real Media Server stores passwords in plain text"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> M. Marzoa Alonso wrote:
>> The fact is that through installation process it ask for a
>> password that itsn't hide neither when you write it, but worse is that this
>> password is stored in the file /usr/local/rmserver/rmserver.cfg in plain
>> format

> Peter Roth <rothat_private> wrote:
>this also affects Version 6.0.3.303 of RealAudio Basic Server on Win NT,
>File Persmission is set to full access by everyone

tangetially related to Real Server/cleartext passwords....but mostly
related to bad practices on the part of application developers. FWIW-

Station Manager from Lariat Software (www.lariat.com) manages/schedules
content offered on Real Servers and has similar issues. Quoting from their
docs:

    In order to access Station Manager, it must be installed on a Web
    server. You can install Station Manager directly into the Web
    server's root directory or in another directory on the same computer
    as long as the directory is a virtual directory of the Web server.
Installing the product under docroot means all of the
installed files are viewable and/or retrievable. This includes
license info, manuals, admin info, *config* files...for example:
http://my.example.com/stationmanager/lariat/server/config/stnmng.cfg
might reward you with:
---
  RVSLTA	Z:\Real\Server\Bin\rvslta.exe
  SERVERHOSTNAME	somehost.example.com
  SERVERPASSWORD	xyz123            <-- ed note: Real Server pw here
  SERVERPORT	7777
  CONVERSION	somehost.example.com 7777 X:\rmfiles
  STATIONMANAGERPASSWORD	foobar
---
Of course you can use access control mechanisms to protect yourself but
nowhere do they warn of these pitfalls and if someone installs the product
under the docroot of a typical server:
  a) without access control
  b) with directory listings enabled
then the above config files and their passwords (among other things) are
exposed. Even if directory listing is dis-abled, one can still retrieve config
files (for example) if one simply knows the correct path/filename.
Lariat has been told and may be in the process of modifying documentation.

Next message: Adam Brown: "AOL Instant Messenger URL Crash"
Previous message: aleph1at_private: "Security Bulletins Digest"
Maybe in reply to: Francisco M. Marzoa Alonso: "Real Media Server stores passwords in plain text"
Next in thread: Lawrence S. Lee: "Re: Real Media Server stores passwords in plain text"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:43:11 PDT