Vapid Labs Security Note - The PrimeBase SQL Database Server 4.2 stores passwords in clear text. Depending on the installation user's umask settings, it may be readable by all local users.
43002c694b892879a9fefb2c4763eaa0435c8018f79e132da7c50c1395f81a57PrimeBase SQL Database server cleartext password storage.
Vapid Labs Security Note
10/20/03
The PrimeBase SQL Database Server 4.2 stores passwords in clear
text, and based on the installation users umask settings maybe readable by
all local users.
>From the readme.txt file:
"The Admin server will require you to enter your password in a text file
called 'password.adm' (in the server folder), before you can continue.
NOTE: This is the password for access to the Admin Server only."
Depending on your umask settings (default 022 for root) the "Admin Server"
password maybe readable by local users. Also the password is not stored
as a hash or encrypted. A malicious user could uses this password to
access the web based administration server and compromise the system.
The database also comes with a default "Administrator" account with no
password, the documentation does recommend the installer set the
Administrator password during installation.
Recommendations: Store the password as a hash in a file read-only by the
Admin Server. Disable the Administrator account until a password has been
set for it.
References: http://www.primebase.de
Larry Cashdollar
http://vapid.dhs.org
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed