5177375 2000-06-08 22:27 /20 rader/ Postmaster Mottagare: Bugtraq (import) <11222> Ärende: Piranha password file ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com X-Sent: 2 Jun 2000 19:29:38 GMT Content-Type: text/plain Content-Disposition: inline Mime-Version: 1.0 Message-ID: <20000602192938.23036.cpmta@c000.snv.cp.net> Date: Fri, 2 Jun 2000 12:29:38 -0700 Reply-To: frostman@SECUREACCESS.INTRANETS.COM Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: frostman@SECUREACCESS.INTRANETS.COM To: BUGTRAQ@SECURITYFOCUS.COM Looking at the default install of Piranha on RH 6.2 the password file is world readable and encrypted with standard DES. Hence any user with a shell account can download this password file and crack it in turn giving them access to the Piranha configuration and probably more. I'm still testing to see what else can be gained. I looked over the previous advisories on your site and Red Hat's and this wasn't mentioned. _________________________________________________________________ Get your own free, private space on the Web at www.intranets.com. (5177375) ------------------------------------------(Ombruten)