Re: Xitami Webserver stores admin password in clear text.
From: Bernd Luevelsmeyer (bdluevel@heitec.net)Date: 11/29/01
- Previous message: Tony Chimienti: "SafeWord Agent for SSH (secure shell) vulnerability"
- In reply to: Larry W. Cashdollar: "Xitami Webserver stores admin password in clear text."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 29 Nov 2001 05:06:00 +0100 From: Bernd Luevelsmeyer <bdluevel@heitec.net> To: "Larry W. Cashdollar" <lwc@vapid.dhs.org> Subject: Re: Xitami Webserver stores admin password in clear text. Message-Id: <20011129040600.77796B8101@christel.heitec.net>
Larry W. Cashdollar wrote:
>
> I am releasing this a bit early as the vendor has been aware of this issue
> for a while now.
[...]
> The webserver administrator password is stored clear-text in a world
> readable file. A local user can use the webserver admin password to gain
> control of (by default) root owned xitami process. The server can then be
> reconfigured by the malicious user (locally unless configured to allow
> remote administration) to read sensitive system files and execute commands
> as root.
[...]
On FreeBSD, the Xitami port installs in a way that Xitami has only
its default configuration and will not run automatically; the user
has to complete the installation manually. The intention being, of
course, that he/she will configure the program first, including the
security matters.
You are right, however, if that's not done but Xitami is simply
started, then it is insecure. I'll add a more descriptive warning to
the port.
- Previous message: Tony Chimienti: "SafeWord Agent for SSH (secure shell) vulnerability"
- In reply to: Larry W. Cashdollar: "Xitami Webserver stores admin password in clear text."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
