|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Opsware NAS 6.0 reveals MySQL 'root' password
security-alert
opsware.com
Date: Thu Jul 27 2006 - 01:18:01 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
DETAILS:
--------
The /etc/init.d/mysql script lists the root password of MySQL database:
-"INPUT_DB_PASSWORD=mysql123"
-"bin/mysqladmin -uroot -pmysql123 shutdown"
The file permission of file /etc/init.d/mysql will allow all users with a login to the NAS server to view the root password for the database.
The current permissions are :
-rwxrwxr-x 1 root root 1856 Jul 22 10:43 mysql
WORKAROUND:
-----------
Change the file permissions of /etc/init.d/mysql to limit read/write and execute to the appropriate user (eg. root).
STEPS:
------
1. Login in to NAS server as root;
2. Change file permissions :
#chmod 700 /etc/init.d/mysql
3. Verify changes to file permissions :
#ls -l /etc/init.d/mysql
The file should have the following permissions:
-rwx------ 1 root root 1856 Jul 22 10:43 mysql
NOTES:
------
NAS versions that run on Windows are not affected.
NAS versions, that run on Linux/Solaris and use
Oracle/SQL Server as their databases are not affected.
NAS versions, that run on Linux/Solaris and use MySQL installed on a host different from the core server are not affected.
CONTACT INFORMATION:
--------------------
Please contact security-alert AT opsware dot com, if you require additional information.
Network Automation System Engineering
Opsware, Inc.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]