[Xitami] Plaintext passwords on Bugtraq (again)

Thomas J. Hruska xitami@lists.xitami.org
Mon, 24 Jun 2002 09:11:36 -0400 

At 10:58 AM 6/24/2002 +0200, Pieter Hintjens writeth:
>Michael Burns <mburns83@directvinternet.com> wrote:
>> Imatix,
>> 
>> Why were the passwords in the configuration files (default.aut, 
>> ftpusers.aut, etc.) left in plaintext? Is there any plan to change
>> that?
>
>I think the FAQ answers the 'why', and I don't see any flaws in the 
>original reasoning: if someone can read your password files, then (a) 
>they can use dictionary-based attacks, and (b) your general security 
>has been compromised and that is much more serious than whether the 
>passwords are hashed or not (and the extra hour or two that takes for 
>someone to crack enough of them to get into your server).
>
>My personal opinion is that flagrantly unsecured password files are 
>actually a 'feature' since they oblige the system administrator to 
>think seriously about security issues (such as running NTFS vs. 
>FAT32).
>
>But that may just be laziness.  We've always planned to implement 
>password hashing at some stage.  Given that this issue keeps coming 
>back, we'll look at this for the next release.
>
>The planned design is this: we will keep the existing file 
>structures, and put the hashing logic inside Xitami.  When it reads a 
>password file, it will hash any (new) unhashed passwords.  We don't 
>want to break scripts that create password files.

However, the problem still won't go away since anyone sniffing for packets
can grab any HTTP Authorization header and store it away for a later replay
attack (MD5 hashes included).  What is worse is that Xitami doesn't have
DIGEST mode available which means that the username:password combination is
only Base64 encoded (and makes it _VERY_ easy to obtain access to "secure"
areas - e.g. remote /admin access).  Even with DIGEST mode, it still
doesn't stop a replay attack since the HTTP protocol doesn't have any
secure handshaking methods.

So, hashing the files might help some locally, but won't stop anyone from
attacking the server remotely.  The problem is not necessarily with Xitami
but also has to do with the inherent weakness of the HTTP protocol.

Hope this helps!


          Thomas J. Hruska -- shinelight@shininglightpro.com
Shining Light Productions -- "Meeting the needs of fellow programmers"
                  http://www.shininglightpro.com/