What happens when a user gains root access to a machine ? He can simply go
and
transfer the actual MYSQL database files to another machine... no prob...
why go through
all that work when the user can simply extract the username/pass from the
binary, and then
login to the database and view ALL the information in cleartext ???
It's just a principle of hardcoding a password in a binary. I think it's
wrong. You cant tell me that
I'm dumb because the permissions are wrong. Permissions dont mean shit. And
by the way, VPOPMAIL
does not secure the directory by default. I checked it on a Linux system and
FreeBSD and the permissions
still seem to be 755 for /home/vpopmail/
Responsibility or not, the fact is that the username/password is hardcoded
in there and it shouldnt be.
Regards,
== Alex ==
----- Original Message -----
From: "Mike Miller" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, January 31, 2001 5:46 PM
Subject: Re: security bug in vpopmail
>
> Clearly you have some sort of nasty security bug yourself... Directory
> permissions are NOT the responsibility of the programmer. Sure things
such
> as mount, cron, etc all check for users and do permissions checking. If
> your dumb enough to make some of these system-configuration programs
> (vpopmail) open to the public, thats your issue. VPOPMAIL by default
> secured my directory tree just fine, and i did even more for the directory
> under it. You may want to check out if your chanign the directory
> permissions ont he homedir
>
> --
> Mike
>
>
> >From: "Alex W" <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>
> >Subject: security bug in vpopmail
> >Date: Mon, 29 Jan 2001 00:53:58 -0500
> >
> >Hi,
> >I have noticed a security bug in vpopmail.
> >The first thing is the fact that we have to hard code the 'password' into
> >the vmysql.h
> >file before we compile vpopmail with the mysql=y option. That is bad.
> >
> >Secondly, and most importantly, ANY user on the system can go in
> >/home/vpopmail/bin/
> >and do a "strings vuserinfo".
> >If you scroll up after doing the "strings vuserinfo",
> >you should look for lines similar to these:
> >dir = %s
> >vpopmail
> >secret
> >root
> >localhost
> >
> >the second line is the database name (vpopmail), the third line is the
> >password (secret), the fourth line is
> >the username (root) and the last line is the host (localhost).
> >All this information is in CLEAR TEXT !
> >
> >That is terrible. I would suggest maybe encrypting it at compile time
> >because I dont want users on my system
> >to gain 'root' access to my MYSQL database.
> >
> >For now, the only alternative is to change the read permissions on all
> >binaries found in /home/vpopmail/bin/
> >
> >That's all for now.
> >Thanks
> >
> >== Alex ==
> >
>
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>
>
