[23305] in bugtraq
Re: Xitami Webserver stores admin password in clear text.
daemon@ATHENA.MIT.EDU (Bernd Luevelsmeyer)
Wed Nov 28 23:29:52 2001
Date: Thu, 29 Nov 2001 05:06:00 +0100
From: Bernd Luevelsmeyer <bdluevel@heitec.net>
MIME-Version: 1.0
To: "Larry W. Cashdollar" <lwc@vapid.dhs.org>
Cc: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20011129040600.77796B8101@christel.heitec.net>
Larry W. Cashdollar wrote:
>
> I am releasing this a bit early as the vendor has been aware of this issue
> for a while now.
[...]
> The webserver administrator password is stored clear-text in a world
> readable file. A local user can use the webserver admin password to gain
> control of (by default) root owned xitami process. The server can then be
> reconfigured by the malicious user (locally unless configured to allow
> remote administration) to read sensitive system files and execute commands
> as root.
[...]
On FreeBSD, the Xitami port installs in a way that Xitami has only
its default configuration and will not run automatically; the user
has to complete the installation manually. The intention being, of
course, that he/she will configure the program first, including the
security matters.
You are right, however, if that's not done but Xitami is simply
started, then it is insecure. I'll add a more descriptive warning to
the port.
