lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060727061801.17767.qmail@securityfocus.com>
Date: 27 Jul 2006 06:18:01 -0000
From: security-alert@...ware.com
To: bugtraq@...urityfocus.com
Subject: Re: Opsware NAS 6.0 reveals MySQL 'root' password

DETAILS:
--------
The /etc/init.d/mysql script lists the root password of MySQL database:
 
-"INPUT_DB_PASSWORD=mysql123"
 -"bin/mysqladmin -uroot -pmysql123 shutdown"
 
The file permission of file /etc/init.d/mysql will allow all users with a login to the NAS server  to view the root password for the database.

The current permissions are :
-rwxrwxr-x    1 root     root         1856 Jul 22 10:43 mysql

WORKAROUND:
-----------
Change the file permissions of /etc/init.d/mysql to limit  read/write and execute to the  appropriate user (eg. root).

STEPS:
------
1. Login in to NAS server as root;

2. Change file permissions :
#chmod 700 /etc/init.d/mysql

3. Verify changes to file permissions :
#ls -l /etc/init.d/mysql
 
The file should have the following permissions:

-rwx------    1 root     root         1856 Jul 22 10:43 mysql

NOTES:
------
NAS versions that run on Windows are not affected.

NAS versions, that run on Linux/Solaris and use 
Oracle/SQL Server as their databases are not affected.

NAS versions, that run on Linux/Solaris and use MySQL installed on a host different from the core server are not affected.

CONTACT INFORMATION:
--------------------
Please contact security-alert AT opsware dot com,  if you require additional information.

Network Automation System Engineering
Opsware, Inc.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ