[Xitami] Plaintext passwords on Bugtraq (again)

Gunnar Swan xitami@lists.xitami.org
Sat, 22 Jun 2002 09:04:39 -0700 

1. Leave NT at the login screen. This keeps snoopers out.
2. Your 'Guest' accounts should not have permission to Xitami folder.
3. SSL will help secure the connection.

Xitami can't be at fault for a machine that is not locked down.

6/21/02 7:02:00 PM, Michael Burns <mburns83@directvinternet.com> wrote:

>
>At 04:27 PM 6/21/2002 +0200, Francis wrote:
>
>>Michael Burns wrote:
>>
>>>The problem is not that the configuration file is in plain text.
>>>
>>>The problem is that the "passwords" are in "plaintext", not "cyphertext". 
>>>Any user with read access to the file - all users on Windows 9X/ME and 
>>>non-NTFS drives - can read those passwords.
>>
>>So what?
>>a) The passwords will be sent over the wire as base64 encoded which is 
>>essentially plaintext since it is NOT a 1-way hash. These passwords are 
>>therefore nothing close to secure anyway which is why no one uses them for 
>>web authentication in places where security is an issue.
>
>If you look at the problem report again, they don't have an issue with web 
>authentication.
>
>The problem is that the administrators username and password are saved in 
>plaintext in the configuration file. Anyone with local access to the 
>computer has access to the administrators username and password - and all 
>other passwords, since Xitami stores all passwords in plaintext.
>
>>b) The problem is the lack of windows user/file ownership not the 
>>plaintextness of the passwords. If you have console access to a windows 
>>machine running any webserver you can do anything you want. The fact that 
>>you have access to the password file is a trivial side-effect.
>
>No, that is not a trivial side-effect. It is not even a side effect. A 
>"choice" was made to leave the password in plaintext!
>
>
>Imatix,
>
>Why were the passwords in the configuration files (default.aut, 
>ftpusers.aut, etc.) left in plaintext? Is there any plan to change that?
>
>
>Mike
>
>
>--
>Xitami Users Mailing List -- For Xitami support
>To unsubscribe: http://lists.xitami.org/mailman/listinfo/xitami
>