Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: rmedia1.htm

RealMedia Server Cleartext Passwords

    Real Media Server


    Linux, NT (others?)


    Francisco  M.  Marzoa  Alonso  found  following.   Take  a look at

        fmmarzoa@alexander:/usr/local/rserver/Bin > rmserver -version
        Creating Server Space...
        Starting RealServer 6.0 Core...
        RealServer (c) 1995-1998 RealNetworks, Inc. All rights reserved.
        Platform: linux2

    The  fact  is  that  through  installation  process  it  ask for a
    password that itsn't hide neither when you write it, but worse  is
    that     this     password     is     stored     in     the   file
    /usr/local/rmserver/rmserver.cfg  in  plain  format  and this file
    have as default a 644 permision mask.

    This also affects Version of RealAudio Basic  Server on
    Win NT, File Persmission is set  to full access by everyone.   The
    G2  web  admin  facility  uses  forms to change/set passwords etc.
    (Some of)  these changes  are logged,  in plaintext,  in the world
    readable access logs for your lusers' reading pleasure...   Here's
    a snippit:

 - - [14/Mar/1999:11:23:32 +0000]  "GET
        ml%26name%3Devilhaxor%26pass%3Dfreekevin%26realm%3DbadwURLd HTTP/1.0"
        200 2452 [UNKNOWN] [UNKNOWN] [UNKNOWN] 0 0 0 0 0 114


    Change permissions of the file.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH