lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031122102002.K14588-100000@vapid.ath.cx>
Date: Sat, 22 Nov 2003 10:20:20 -0500 (EST)
From: "Larry W. Cashdollar" <lwc@...id.ath.cx>
To: <bugtraq@...urityfocus.com>
Subject: PrimeBase SQL Database server cleartext password storage. (fwd)


PrimeBase SQL Database server cleartext password storage.
Vapid Labs Security Note
10/20/03


	The PrimeBase SQL Database Server 4.2 stores passwords in clear
text, and based on the installation users umask settings maybe readable by
all local users.

>From the readme.txt file:

"The Admin server will require you to enter your password in a text file
called 'password.adm' (in the server folder), before you can continue.
NOTE: This is the password for access to the Admin Server only."

Depending on your umask settings (default 022 for root) the "Admin Server"
password maybe readable by local users.  Also the password is not stored
as a hash or encrypted.  A malicious user could uses this password to
access the web based administration server and compromise the system.

The database also comes with a default "Administrator" account with no
password, the documentation does recommend the installer set the
Administrator password during installation.


Recommendations: Store the password as a hash in a file read-only by the
Admin Server.  Disable the Administrator account until a password has been
set for it.

References: http://www.primebase.de


Larry Cashdollar
http://vapid.dhs.org




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ