[10250] in bugtraq
Re: Real Media Server stores passwords in plain text
daemon@ATHENA.MIT.EDU (Adam Laurie)
Fri Apr 16 16:40:36 1999
Date: Fri, 16 Apr 1999 10:51:18 +0100
Reply-To: Adam Laurie <adam@ALGROUP.CO.UK>
From: Adam Laurie <adam@ALGROUP.CO.UK>
To: BUGTRAQ@NETSPACE.ORG
> My real media server information:
>
> fmmarzoa@alexander:/usr/local/rserver/Bin > rmserver -version
> Creating Server Space...
> Starting RealServer 6.0 Core...
> RealServer (c) 1995-1998 RealNetworks, Inc. All rights reserved.
> Version: 6.0.3.353
> Platform: linux2
>
> The fact is that through installation process it ask for a password that
> itsn't hide neither when you write it, but worse is that this password is
> stored in the file /usr/local/rmserver/rmserver.cfg in plain format and
> this file have as default a 644 permision mask.
>
> Excuse if this security issue was adviced before and, by the way, my poor
> english too.
It gets worse... the G2 web admin facility uses forms to change/set
passwords etc. (Some of) these changes are logged, in plaintext, in the
world readable access logs for your lusers' reading pleasure...
Here's a snippit:
10.1.1.1 - - [14/Mar/1999:11:23:32 +0000] "GET
admin/auth.adduser.html?respage%3Dadduser_respage.ht
ml%26name%3Devilhaxor%26pass%3Dfreekevin%26realm%3DbadwURLd HTTP/1.0"
200 2452 [UNKNOWN] [UNKNOWN] [UNKNOWN] 0 0 0 0 0 114
I reported this to Real, but have had the expected resonse...
cheers,
Adam
--
Adam Laurie Tel: +44 (181) 742 0755
A.L. Digital Ltd. Fax: +44 (181) 742 5995
Voysey House
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers
