Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999_2

Bugtraq archives for 2nd quarter (Apr-Jun) 1999: Re: Real Media Server stores passwords in plain text

Re: Real Media Server stores passwords in plain text

Doug Monroe (monwelINTERHACK.NET)
Mon, 19 Apr 1999 20:37:49 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Densin Roy.: "Re: Plain text passwords--necessary"
Previous message: Chris Wedgwood: "Re: truncate("x", -1)"
Maybe in reply to: Francisco M. Marzoa Alonso: "Real Media Server stores passwords in plain text"
Next in thread: Lawrence S. Lee: "Re: Real Media Server stores passwords in plain text"

> M. Marzoa Alonso wrote:
>> The fact is that through installation process it ask for a
>> password that itsn't hide neither when you write it, but worse is that this
>> password is stored in the file /usr/local/rmserver/rmserver.cfg in plain
>> format

> Peter Roth <rothPEROTECH.CH> wrote:
>this also affects Version 6.0.3.303 of RealAudio Basic Server on Win NT,
>File Persmission is set to full access by everyone

tangetially related to Real Server/cleartext passwords....but mostly
related to bad practices on the part of application developers. FWIW-

Station Manager from Lariat Software (www.lariat.com) manages/schedules
content offered on Real Servers and has similar issues. Quoting from their
docs:

    In order to access Station Manager, it must be installed on a Web
    server. You can install Station Manager directly into the Web
    server's root directory or in another directory on the same computer
    as long as the directory is a virtual directory of the Web server.
Installing the product under docroot means all of the
installed files are viewable and/or retrievable. This includes
license info, manuals, admin info, *config* files...for example:
http://my.example.com/stationmanager/lariat/server/config/stnmng.cfg
might reward you with:
---
  RVSLTA	Z:\Real\Server\Bin\rvslta.exe
  SERVERHOSTNAME	somehost.example.com
  SERVERPASSWORD	xyz123            <-- ed note: Real Server pw here
  SERVERPORT	7777
  CONVERSION	somehost.example.com 7777 X:\rmfiles
  STATIONMANAGERPASSWORD	foobar
---
Of course you can use access control mechanisms to protect yourself but
nowhere do they warn of these pitfalls and if someone installs the product
under the docroot of a typical server:
  a) without access control
  b) with directory listings enabled
then the above config files and their passwords (among other things) are
exposed. Even if directory listing is dis-abled, one can still retrieve config
files (for example) if one simply knows the correct path/filename.
Lariat has been told and may be in the process of modifying documentation.

Next message: Densin Roy.: "Re: Plain text passwords--necessary"
Previous message: Chris Wedgwood: "Re: truncate("x", -1)"
Maybe in reply to: Francisco M. Marzoa Alonso: "Real Media Server stores passwords in plain text"
Next in thread: Lawrence S. Lee: "Re: Real Media Server stores passwords in plain text"