| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 22 Nov 2003 10:20:20 -0500 (EST) From: "Larry W. Cashdollar" <lwc@...id.ath.cx> To: <bugtraq@...urityfocus.com> Subject: PrimeBase SQL Database server cleartext password storage. (fwd) PrimeBase SQL Database server cleartext password storage. Vapid Labs Security Note 10/20/03 The PrimeBase SQL Database Server 4.2 stores passwords in clear text, and based on the installation users umask settings maybe readable by all local users. >From the readme.txt file: "The Admin server will require you to enter your password in a text file called 'password.adm' (in the server folder), before you can continue. NOTE: This is the password for access to the Admin Server only." Depending on your umask settings (default 022 for root) the "Admin Server" password maybe readable by local users. Also the password is not stored as a hash or encrypted. A malicious user could uses this password to access the web based administration server and compromise the system. The database also comes with a default "Administrator" account with no password, the documentation does recommend the installer set the Administrator password during installation. Recommendations: Store the password as a hash in a file read-only by the Admin Server. Disable the Administrator account until a password has been set for it. References: http://www.primebase.de Larry Cashdollar http://vapid.dhs.org
Powered by blists - more mailing lists