[23293] in bugtraq
Re: Xitami Webserver stores admin password in clear text.
daemon@ATHENA.MIT.EDU (Larry W. Cashdollar)
Wed Nov 28 19:15:41 2001
Date: Wed, 28 Nov 2001 09:52:42 -0500 (EST)
From: "Larry W. Cashdollar" <lwc@vapid.dhs.org>
To: Tom Micklovitch <h_bugtraq@yahoo.com>
Cc: <bugtraq@securityfocus.com>
In-Reply-To: <20011127101358.8140.qmail@web20308.mail.yahoo.com>
Message-ID: <20011128094800.N83706-100000@vapid.dhs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Tue, 27 Nov 2001, Tom Micklovitch wrote:
> This is a known issue, and certainly on windows versions on Xitami, you actually have to create
> the file defaults.aut yourself, as in, actually type in it's contents.
I know it is, its in the FAQ mentioned on the xitami website and
referenced in my advisory, that is why I released a little early.
> But you are correct - it would be nice if it was encoded somehow.
>
> A more worrying issue is the fact that defaults.aut is world readable AND writable, hence if you
> have shared the drive it's on, anyone on the local network can simply replace it with their password.
I only tested on Linux, and in my installation defaults.aut was world
readable but not world writeable. I did notice that the development
version 2.5b5 that the default.aut file was group writeable as well.
-- Larry
