The same problem is ~vpopmail/lib/libvpopmail.a - clear username and
password to MySQL !
Martin
> -----Original Message-----
> From: Alex W [mailto:[EMAIL PROTECTED]]
> Sent: Monday, January 29, 2001 6:54 AM
> To: [EMAIL PROTECTED]
> Subject: security bug in vpopmail
>
>
> Hi,
> I have noticed a security bug in vpopmail.
> The first thing is the fact that we have to hard code the 'password' into
> the vmysql.h
> file before we compile vpopmail with the mysql=y option. That is bad.
>
> Secondly, and most importantly, ANY user on the system can go in
> /home/vpopmail/bin/
> and do a "strings vuserinfo".
> If you scroll up after doing the "strings vuserinfo",
> you should look for lines similar to these:
> dir = %s
> vpopmail
> secret
> root
> localhost
>
> the second line is the database name (vpopmail), the third line is the
> password (secret), the fourth line is
> the username (root) and the last line is the host (localhost).
> All this information is in CLEAR TEXT !
>
> That is terrible. I would suggest maybe encrypting it at compile time
> because I dont want users on my system
> to gain 'root' access to my MYSQL database.
>
> For now, the only alternative is to change the read permissions on all
> binaries found in /home/vpopmail/bin/
>
> That's all for now.
> Thanks
>
> == Alex ==
>
>
