mailing list archives
Re: Xitami Webserver stores admin password in clear text.
From: "Larry W. Cashdollar" <lwc () vapid dhs org>
Date: Wed, 28 Nov 2001 09:52:42 -0500 (EST)
On Tue, 27 Nov 2001, Tom Micklovitch wrote:
This is a known issue, and certainly on windows versions on Xitami, you actually have to create
the file defaults.aut yourself, as in, actually type in it's contents.
I know it is, its in the FAQ mentioned on the xitami website and
referenced in my advisory, that is why I released a little early.
But you are correct - it would be nice if it was encoded somehow.
A more worrying issue is the fact that defaults.aut is world readable AND writable, hence if you
have shared the drive it's on, anyone on the local network can simply replace it with their password.
I only tested on Linux, and in my installation defaults.aut was world
readable but not world writeable. I did notice that the development
version 2.5b5 that the default.aut file was group writeable as well.