[Xitami] Plaintext passwords on Bugtraq (again)

Dwaine Gonyier xitami@lists.xitami.org
Mon, 24 Jun 2002 10:01:46 -0400 

I don't know if this has been brought up before, but
you can always configure Xitami to only allow admin
access from localhost and use encrypted tunneling via
ssh (http://www.openssh.com/)
or zebedee (http://www.winton.org.uk/zebedee/)
to open a secure connection to the web server
host to do administrative stuff with Xitami.
Either way, HTTP text will be sent through an encrypted
tunnel via port forwarding.

I use zebedee to do this all the time with Xitami.

For windows, you can try http://www.cygwin.com for ssh.
I think it has a sshd too.

--
Dwaine Gonyier
dwaine_gonyier@mindspring.com

----- Original Message -----
From: "Thomas J. Hruska" <shinelight@shininglightpro.com>
To: <xitami@lists.xitami.org>
Sent: Monday, June 24, 2002 9:11 AM
Subject: Re: [Xitami] Plaintext passwords on Bugtraq (again)


> At 10:58 AM 6/24/2002 +0200, Pieter Hintjens writeth:
> >Michael Burns <mburns83@directvinternet.com> wrote:
> >> Imatix,
> >>
> >> Why were the passwords in the configuration files (default.aut,
> >> ftpusers.aut, etc.) left in plaintext? Is there any plan to change
> >> that?
> >
> >I think the FAQ answers the 'why', and I don't see any flaws in the
> >original reasoning: if someone can read your password files, then (a)
> >they can use dictionary-based attacks, and (b) your general security
> >has been compromised and that is much more serious than whether the
> >passwords are hashed or not (and the extra hour or two that takes for
> >someone to crack enough of them to get into your server).
> >
> >My personal opinion is that flagrantly unsecured password files are
> >actually a 'feature' since they oblige the system administrator to
> >think seriously about security issues (such as running NTFS vs.
> >FAT32).
> >
> >But that may just be laziness.  We've always planned to implement
> >password hashing at some stage.  Given that this issue keeps coming
> >back, we'll look at this for the next release.
> >
> >The planned design is this: we will keep the existing file
> >structures, and put the hashing logic inside Xitami.  When it reads a
> >password file, it will hash any (new) unhashed passwords.  We don't
> >want to break scripts that create password files.
>
> However, the problem still won't go away since anyone sniffing for
packets
> can grab any HTTP Authorization header and store it away for a later
replay
> attack (MD5 hashes included).  What is worse is that Xitami doesn't
have
> DIGEST mode available which means that the username:password
combination is
> only Base64 encoded (and makes it _VERY_ easy to obtain access to
"secure"
> areas - e.g. remote /admin access).  Even with DIGEST mode, it still
> doesn't stop a replay attack since the HTTP protocol doesn't have any
> secure handshaking methods.
>
> So, hashing the files might help some locally, but won't stop anyone
from
> attacking the server remotely.  The problem is not necessarily with
Xitami
> but also has to do with the inherent weakness of the HTTP protocol.
>
> Hope this helps!
>
>
>           Thomas J. Hruska -- shinelight@shininglightpro.com
> Shining Light Productions -- "Meeting the needs of fellow programmers"
>                   http://www.shininglightpro.com/
>
> --
> Xitami Users Mailing List -- For Xitami support
> To unsubscribe: http://lists.xitami.org/mailman/listinfo/xitami