Bugtraq mailing list archives
Re: Real Media Server stores passwords in plain text
From: adam () ALGROUP CO UK (Adam Laurie)
Date: Fri, 16 Apr 1999 10:51:18 +0100
My real media server information: fmmarzoa@alexander:/usr/local/rserver/Bin > rmserver -version Creating Server Space... Starting RealServer 6.0 Core... RealServer (c) 1995-1998 RealNetworks, Inc. All rights reserved. Version: 6.0.3.353 Platform: linux2 The fact is that through installation process it ask for a password that itsn't hide neither when you write it, but worse is that this password is stored in the file /usr/local/rmserver/rmserver.cfg in plain format and this file have as default a 644 permision mask. Excuse if this security issue was adviced before and, by the way, my poor english too.
It gets worse... the G2 web admin facility uses forms to change/set passwords etc. (Some of) these changes are logged, in plaintext, in the world readable access logs for your lusers' reading pleasure... Here's a snippit: 10.1.1.1 - - [14/Mar/1999:11:23:32 +0000] "GET admin/auth.adduser.html?respage%3Dadduser_respage.ht ml%26name%3Devilhaxor%26pass%3Dfreekevin%26realm%3DbadwURLd HTTP/1.0" 200 2452 [UNKNOWN] [UNKNOWN] [UNKNOWN] 0 0 0 0 0 114 I reported this to Real, but have had the expected resonse... cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam () algroup co uk UNITED KINGDOM PGP key on keyservers
Current thread:
- Re: Real Media Server stores passwords in plain text Adam Laurie (Apr 16)
- <Possible follow-ups>
- Re: Real Media Server stores passwords in plain text Doug Monroe (Apr 19)
- Re: Real Media Server stores passwords in plain text Lawrence S. Lee (Apr 22)