Bugtraq mailing list archives

Re: Real Media Server stores passwords in plain text

From: monwel () INTERHACK NET (Doug Monroe)
Date: Mon, 19 Apr 1999 20:37:49 -0400

M. Marzoa Alonso wrote:

The fact is that through installation process it ask for a
password that itsn't hide neither when you write it, but worse is that this
password is stored in the file /usr/local/rmserver/rmserver.cfg in plain
format

Peter Roth <roth () PEROTECH CH> wrote:
this also affects Version 6.0.3.303 of RealAudio Basic Server on Win NT,
File Persmission is set to full access by everyone


tangetially related to Real Server/cleartext passwords....but mostly
related to bad practices on the part of application developers. FWIW-

Station Manager from Lariat Software (www.lariat.com) manages/schedules
content offered on Real Servers and has similar issues. Quoting from their
docs:

    In order to access Station Manager, it must be installed on a Web
    server. You can install Station Manager directly into the Web
    server's root directory or in another directory on the same computer
    as long as the directory is a virtual directory of the Web server.
Installing the product under docroot means all of the
installed files are viewable and/or retrievable. This includes
license info, manuals, admin info, *config* files...for example:
http://my.example.com/stationmanager/lariat/server/config/stnmng.cfg
might reward you with:
---
  RVSLTA        Z:\Real\Server\Bin\rvslta.exe
  SERVERHOSTNAME        somehost.example.com
  SERVERPASSWORD        xyz123            <-- ed note: Real Server pw here
  SERVERPORT    7777
  CONVERSION    somehost.example.com 7777 X:\rmfiles
  STATIONMANAGERPASSWORD        foobar
---
Of course you can use access control mechanisms to protect yourself but
nowhere do they warn of these pitfalls and if someone installs the product
under the docroot of a typical server:
  a) without access control
  b) with directory listings enabled
then the above config files and their passwords (among other things) are
exposed. Even if directory listing is dis-abled, one can still retrieve config
files (for example) if one simply knows the correct path/filename.
Lariat has been told and may be in the process of modifying documentation.

Current thread:

Re: Real Media Server stores passwords in plain text Adam Laurie (Apr 16)
- <Possible follow-ups>
- Re: Real Media Server stores passwords in plain text Doug Monroe (Apr 19)
- Re: Real Media Server stores passwords in plain text Lawrence S. Lee (Apr 22)