[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060727061801.17767.qmail@securityfocus.com>
Date: 27 Jul 2006 06:18:01 -0000
From: security-alert@...ware.com
To: bugtraq@...urityfocus.com
Subject: Re: Opsware NAS 6.0 reveals MySQL 'root' password
DETAILS:
--------
The /etc/init.d/mysql script lists the root password of MySQL database:
-"INPUT_DB_PASSWORD=mysql123"
-"bin/mysqladmin -uroot -pmysql123 shutdown"
The file permission of file /etc/init.d/mysql will allow all users with a login to the NAS server to view the root password for the database.
The current permissions are :
-rwxrwxr-x 1 root root 1856 Jul 22 10:43 mysql
WORKAROUND:
-----------
Change the file permissions of /etc/init.d/mysql to limit read/write and execute to the appropriate user (eg. root).
STEPS:
------
1. Login in to NAS server as root;
2. Change file permissions :
#chmod 700 /etc/init.d/mysql
3. Verify changes to file permissions :
#ls -l /etc/init.d/mysql
The file should have the following permissions:
-rwx------ 1 root root 1856 Jul 22 10:43 mysql
NOTES:
------
NAS versions that run on Windows are not affected.
NAS versions, that run on Linux/Solaris and use
Oracle/SQL Server as their databases are not affected.
NAS versions, that run on Linux/Solaris and use MySQL installed on a host different from the core server are not affected.
CONTACT INFORMATION:
--------------------
Please contact security-alert AT opsware dot com, if you require additional information.
Network Automation System Engineering
Opsware, Inc.
Powered by blists - more mailing lists