[10229] in bugtraq
Re: Real Media Server stores passwords in plain text
daemon@ATHENA.MIT.EDU (Peter Roth)
Thu Apr 15 13:24:44 1999
Date: Thu, 15 Apr 1999 09:45:49 +0200
Reply-To: Peter Roth <roth@PEROTECH.CH>
From: Peter Roth <roth@PEROTECH.CH>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.05.9904141044090.1804-100000@alexander.sire.es>
M. Marzoa Alonso wrote:
> -----Original Message-----
> From: Bugtraq List [mailto: Behalf Of Francisco
> M. Marzoa Alonso
> Sent: Mittwoch, 14. April 1999 10:46
> To: BUGTRAQ@NETSPACE.ORG
> Subject: Real Media Server stores passwords in plain text
>
>
> My real media server information:
>
> fmmarzoa@alexander:/usr/local/rserver/Bin > rmserver -version
> Creating Server Space...
> Starting RealServer 6.0 Core...
> RealServer (c) 1995-1998 RealNetworks, Inc. All rights reserved.
> Version: 6.0.3.353
> Platform: linux2
>
> The fact is that through installation process it ask for a
> password that
> itsn't hide neither when you write it, but worse is that this
> password is
> stored in the file /usr/local/rmserver/rmserver.cfg in plain
> format and
> this file have as default a 644 permision mask.
>
> Excuse if this security issue was adviced before and, by the
> way, my poor
> english too.
>
> --
> Francisco M. Marzoa Alonso - SiRE
> 3CLiNUX - http://club.idecnet.com/~fmmarzoa/
>
this also affects Version 6.0.3.303 of RealAudio Basic Server on Win NT,
File Persmission is set to full access by everyone
Greetings
Peter
