Home page logo

bugtraq logo Bugtraq mailing list archives

Xitami Web Server (32-bit) 2.5b4 Plaintext Administrator Password Storage
From: ace <ace () microsoft ph>
Date: 20 Jun 2002 02:35:14 -0000

Trippin Smurfs Security Team - 06/20/2002
[Securing by the masses, one box at a time.]

[~] Issue:

Xitami Web Server (32-bit) 2.5b4 Plaintext Administrator Password Storage

[~] Author:

ace | ace () microsoft ph

[~] Vulnerable:

Xitami Web Server (32-bit) 2.5b4 [http://www.imatix.com/]

[~] Description:

Xitami is a multithreaded Web server. Though small and simple, Xitami is 
robust enough to handle high-volume intranets. 
Built from the ground up as a high-performance Web server engine, it pumps 
data onto the network at top speed. 
This means that it can serve large files quickly while handling many 
simultaneous hits.

[~] Bug:

Xitami web server suffers from poor password storage syndrome [ i know, i 
made the name up ;) ].

[~] Exploit:

Any local user could head out to C:\Xitami where the default installation 
directory sits, and open "defaults.aut" a file name in the Xitami 
This file has the administrators user/password saved in plain text!. Here 
is what the file looks like:

#  Created at installation time 

As you can see, no encryption at all is used and so technically this bug 
is of "high severity".

[~] Work Around:

Uninstall Xitami.

[~] Vendor Status:
The Vendor has been contacted, still no reply on this issue, will update 
this when vendor response is recieved.

Trippin Smurfs - http://www.t-smurfs.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]