[15263] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Piranha password file

daemon@ATHENA.MIT.EDU (frostman@SECUREACCESS.INTRANETS.CO)
Thu Jun 8 16:13:29 2000

Content-Type: text/plain
Content-Disposition: inline
Mime-Version: 1.0
Message-Id:  <20000602192938.23036.cpmta@c000.snv.cp.net>
Date:         Fri, 2 Jun 2000 12:29:38 -0700
Reply-To: frostman@SECUREACCESS.INTRANETS.COM
From: frostman@SECUREACCESS.INTRANETS.COM
To: BUGTRAQ@SECURITYFOCUS.COM

Looking at the default install of Piranha on RH 6.2 the password file is world readable and encrypted with standard DES. Hence any user with a shell account can download this password file and crack it in turn giving them access to the Piranha configuration and probably more. I'm still testing to see what else can be gained. I looked over the previous advisories on your site and Red Hat's and this wasn't mentioned.

_________________________________________________________________
Get your own free, private space on the Web at www.intranets.com.


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[15263] in bugtraq

Piranha password file

daemon@ATHENA.MIT.EDU (frostman@SECUREACCESS.INTRANETS.CO)Thu Jun 8 16:13:29 2000

daemon@ATHENA.MIT.EDU (frostman@SECUREACCESS.INTRANETS.CO)
Thu Jun 8 16:13:29 2000