[Xitami] Plaintext passwords on Bugtraq (again)

Michael Burns xitami@lists.xitami.org
Fri, 21 Jun 2002 06:38:07 -0700

Previous message: [Xitami] Plaintext passwords on Bugtraq (again)
Next message: [Xitami] Plaintext passwords on Bugtraq (again)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The problem is not that the configuration file is in plain text.

The problem is that the "passwords" are in "plaintext", not "cyphertext". 
Any user with read access to the file - all users on Windows 9X/ME and 
non-NTFS drives - can read those passwords.

A typical solution is to place a "hash" of the password into the file.

Mike

At 02:22 PM 6/21/2002 +0200, you wrote:

>http://online.securityfocus.com/archive/1/277941
>
>Would someone from Imatix like to explain (again) to bugtraq that read 
>access to any configuration file whether or not it contains passwords is a 
>huge security hole. But that in windows with no user access control you 
>can't hide files.

Michael Burns
mburns83@directvinternet.com

Previous message: [Xitami] Plaintext passwords on Bugtraq (again)
Next message: [Xitami] Plaintext passwords on Bugtraq (again)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]