Re: Xitami Webserver stores admin password in clear text.

From: Bernd Luevelsmeyer (bdluevelat_private)
Date: Wed Nov 28 2001 - 20:06:00 PST

Next message: StatiC: "RE: File extensions spoofable in MSIE download dialog"

Previous message: Immunix Security Team: "[Immunix-announce] Immunix OS 7.0 wu-ftpd update"
In reply to: Larry W. Cashdollar: "Xitami Webserver stores admin password in clear text."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Larry W. Cashdollar wrote:
> 
> I am releasing this a bit early as the vendor has been aware of this issue
> for a while now.
[...]
> The webserver administrator password is stored clear-text in a world
> readable file.  A local user can use the webserver admin password to gain
> control of (by default) root owned xitami process.  The server can then be
> reconfigured by the malicious user (locally unless configured to allow
> remote administration) to read sensitive system files and execute commands
> as root.
[...]

On FreeBSD, the Xitami port installs in a way that Xitami has only
its default configuration and will not run automatically; the user
has to complete the installation manually. The intention being, of
course, that he/she will configure the program first, including the
security matters.
You are right, however, if that's not done but Xitami is simply
started, then it is insecure. I'll add a more descriptive warning to
the port.

Next message: StatiC: "RE: File extensions spoofable in MSIE download dialog"
Previous message: Immunix Security Team: "[Immunix-announce] Immunix OS 7.0 wu-ftpd update"
In reply to: Larry W. Cashdollar: "Xitami Webserver stores admin password in clear text."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 28 2001 - 20:25:08 PST