[Xitami] Plaintext passwords on Bugtraq (again)
Francis Turner
xitami@lists.xitami.org
Fri, 21 Jun 2002 16:27:55 +0200
Michael Burns wrote:
> The problem is not that the configuration file is in plain text.
>
> The problem is that the "passwords" are in "plaintext", not
> "cyphertext". Any user with read access to the file - all users on
> Windows 9X/ME and non-NTFS drives - can read those passwords.
So what?
a) The passwords will be sent over the wire as base64 encoded which is
essentially plaintext since it is NOT a 1-way hash. These passwords are
therefore nothing close to secure anyway which is why no one uses them
for web authentication in places where security is an issue.
b) The problem is the lack of windows user/file ownership not the
plaintextness of the passwords. If you have console access to a windows
machine running any webserver you can do anything you want. The fact
that you have access to the password file is a trivial side-effect.
>
> A typical solution is to place a "hash" of the password into the file.
Encyphering these passwords would actually give a misleading sense of
security since it is so easy to see them over the wire.
By the way
If you want to have secure password access the bets way is to use a cgi
program to set a cookie and a GSL or similar script to read the cookie
and display the page if it matches that in a XML hash file. This can be
quite general purpose (i.e. you can do
http://server/secure.gsl?/path/file.htm to display arbitrary files but
with an initial security check to see if this should be permitted)
If anyone wants the code for the above I would be happy to share it
somewhere once I have tidied it up a bit. It really isn't complicated
once you decice how to allocate the permissions.
Francis
--
...if the US Government were ever to get really serious about Internet
security, the top players in Microsoft's management hierarchy would find
themselves handcuffed, blindfolded, led onto a tarmac within some obscure
Air Force base, and shot.
-- Thomas C Greene (http://www.theregister.co.uk/content/55/23223.html)