> M. Marzoa Alonso wrote: >> The fact is that through installation process it ask for a >> password that itsn't hide neither when you write it, but worse is that this >> password is stored in the file /usr/local/rmserver/rmserver.cfg in plain >> format > Peter Roth <rothat_private> wrote: >this also affects Version 6.0.3.303 of RealAudio Basic Server on Win NT, >File Persmission is set to full access by everyone tangetially related to Real Server/cleartext passwords....but mostly related to bad practices on the part of application developers. FWIW- Station Manager from Lariat Software (www.lariat.com) manages/schedules content offered on Real Servers and has similar issues. Quoting from their docs: In order to access Station Manager, it must be installed on a Web server. You can install Station Manager directly into the Web server's root directory or in another directory on the same computer as long as the directory is a virtual directory of the Web server. Installing the product under docroot means all of the installed files are viewable and/or retrievable. This includes license info, manuals, admin info, *config* files...for example: http://my.example.com/stationmanager/lariat/server/config/stnmng.cfg might reward you with: --- RVSLTA Z:\Real\Server\Bin\rvslta.exe SERVERHOSTNAME somehost.example.com SERVERPASSWORD xyz123 <-- ed note: Real Server pw here SERVERPORT 7777 CONVERSION somehost.example.com 7777 X:\rmfiles STATIONMANAGERPASSWORD foobar --- Of course you can use access control mechanisms to protect yourself but nowhere do they warn of these pitfalls and if someone installs the product under the docroot of a typical server: a) without access control b) with directory listings enabled then the above config files and their passwords (among other things) are exposed. Even if directory listing is dis-abled, one can still retrieve config files (for example) if one simply knows the correct path/filename. Lariat has been told and may be in the process of modifying documentation.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:43:11 PDT