[Xitami] Plaintext passwords on Bugtraq (again)

[Michael Burns]

At 04:27 PM 6/21/2002 +0200, Francis wrote:

>Michael Burns wrote:
>
>>The problem is not that the configuration file is in plain text.
>>
>>The problem is that the "passwords" are in "plaintext", not "cyphertext". 
>>Any user with read access to the file - all users on Windows 9X/ME and 
>>non-NTFS drives - can read those passwords.
>
>So what?
>a) The passwords will be sent over the wire as base64 encoded which is 
>essentially plaintext since it is NOT a 1-way hash. These passwords are 
>therefore nothing close to secure anyway which is why no one uses them for 
>web authentication in places where security is an issue.

If you look at the problem report again, they don't have an issue with web 
authentication.

The problem is that the administrators username and password are saved in 
plaintext in the configuration file. Anyone with local access to the 
computer has access to the administrators username and password - and all 
other passwords, since Xitami stores all passwords in plaintext.

>b) The problem is the lack of windows user/file ownership not the 
>plaintextness of the passwords. If you have console access to a windows 
>machine running any webserver you can do anything you want. The fact that 
>you have access to the password file is a trivial side-effect.

No, that is not a trivial side-effect. It is not even a side effect. A 
"choice" was made to leave the password in plaintext!


Imatix,

Why were the passwords in the configuration files (default.aut, 
ftpusers.aut, etc.) left in plaintext? Is there any plan to change that?


Mike