PrimeBase SQL Database server cleartext password storage. (fwd)
PrimeBase SQL Database server cleartext password storage.
Vapid Labs Security Note
10/20/03
The PrimeBase SQL Database Server 4.2 stores passwords in clear
text, and based on the installation users umask settings maybe readable by
all local users.
>From the readme.txt file:
"The Admin server will require you to enter your password in a text file
called 'password.adm' (in the server folder), before you can continue.
NOTE: This is the password for access to the Admin Server only."
Depending on your umask settings (default 022 for root) the "Admin Server"
password maybe readable by local users. Also the password is not stored
as a hash or encrypted. A malicious user could uses this password to
access the web based administration server and compromise the system.
The database also comes with a default "Administrator" account with no
password, the documentation does recommend the installer set the
Administrator password during installation.
Recommendations: Store the password as a hash in a file read-only by the
Admin Server. Disable the Administrator account until a password has been
set for it.
References: http://www.primebase.de
Larry Cashdollar
http://vapid.dhs.org