Re: Real Media Server stores passwords in plain text

[adam () ALGROUP CO UK (Adam Laurie)]

> My real media server information:
>
> fmmarzoa@alexander:/usr/local/rserver/Bin > rmserver -version
> Creating Server Space...
> Starting RealServer 6.0 Core...
> RealServer (c) 1995-1998 RealNetworks, Inc. All rights reserved.
> Version:        6.0.3.353
> Platform: linux2
>
> The fact is that through installation process it ask for a password that
> itsn't hide neither when you write it, but worse is that this password is
> stored in the file /usr/local/rmserver/rmserver.cfg in plain format and
> this file have as default a 644 permision mask.
>
> Excuse if this security issue was adviced before and, by the way, my poor
> english too.

It gets worse... the G2 web admin facility uses forms to change/set
passwords etc. (Some of) these changes are logged, in plaintext, in the
world readable access logs for your lusers' reading pleasure...

Here's a snippit:

  10.1.1.1 - - [14/Mar/1999:11:23:32 +0000]  "GET
admin/auth.adduser.html?respage%3Dadduser_respage.ht
ml%26name%3Devilhaxor%26pass%3Dfreekevin%26realm%3DbadwURLd HTTP/1.0"
200 2452 [UNKNOWN] [UNKNOWN] [UNKNOWN] 0 0 0 0 0 114

I reported this to Real, but have had the expected resonse...

cheers,
Adam
--
Adam Laurie                   Tel: +44 (181) 742 0755
A.L. Digital Ltd.             Fax: +44 (181) 742 5995
Voysey House
Barley Mow Passage            http://www.aldigital.co.uk
London W4 4GB                 mailto:adam () algroup co uk
UNITED KINGDOM                PGP key on keyservers