Bugtraq mailing list archives

Re: Xitami Web Server (32-bit) 2.5b4 Plaintext Administrator Password Storage

From: "Florian Hobelsberger / BlueScreen" <genius28 () gmx de>
Date: Fri, 21 Jun 2002 12:10:33 +0200

Did you even care about reading the Xitami FAQ ?

This small section tells you everything you need to know
 http://www.imatix.com/html/xitami/index13.htm#m_7 )

7: Why is the password file not encrypted?

In general if access to your server is secure, then the lack of encryption
is not a problem. If someone can read the Xitami directory on your system,
they can see the passwords. Note that even if you use a hashed password
file, it is often trivial to discover passwords using a dictionary-based
attack. It's therefore much better to concentrate on hiding the password
file than on encrypting it. At some future date, Xitami will support
encrypted (hashed) passwords.



That could be the reason why Imatix hasn't answered you yet.


Best regards....


-------------------------------------------------------
BlueScreen / Florian Hobelsberger (UIN: 101782087)
Member of:
www.IT-Checkpoint.net
www.Hackeinsteiger.de
www.DvLdW.de

==================================================================
To encrypt classified messages, please download and use this PGP-Key:

http://www.florian-hobelsberger.de/BlueScreen-PGP-PubKey.txt
==================================================================

Current thread:

Xitami Web Server (32-bit) 2.5b4 Plaintext Administrator Password Storage ace (Jun 20)
- Re: Xitami Web Server (32-bit) 2.5b4 Plaintext Administrator Password Storage Florian Hobelsberger / BlueScreen (Jun 21)