Apache2Triad Help, Support and Development Forum Index Search Profile Log in to check your private messages Log in Register Memberlist Attachments Statistics Crew/Ranks Archive
 A FATAL bug in apache2triad 2.0.49
Google
Post new topic Reply to topic
Author Message
martinkfreeman
 
 


Joined: 18 May 2005
Posts: 2

PostPosted: Wed May 18, 2005 6:48 pm Reply with quoteBack to top

There is a big, fatal bu in apache2triad version 2.0.49. There is a file, which can be accessed from HTTP. Most importantly, this file contains you root user and root password. I was "hacked" that way by a... lamer, which means this bug is VERY HUGE.
Excuse me, if this is fixed in the new version that I don't have.
greetings,
martinkfreeman. Embarassed
View user's profileSend private message
Vlad Alexa Mancini
lead developer
lead developer


Joined: 07 Jul 2003
Posts: 1539

PostPosted: Wed May 18, 2005 7:32 pm Reply with quoteBack to top

there is no such 2.0.49 apache2triad version

and i daresay there is no such file with the global password in plain text that can be accessed by any unprivileged visitor

please explain
View user's profileSend private message
LiquidSnake
past contributor
past contributor


Joined: 23 May 2004
Posts: 267
Location: Middlesboro, KY

PostPosted: Wed May 18, 2005 8:26 pm Reply with quoteBack to top

If you are refering to Apache, the version A2T 1.5.2 uses is 2.0.53 ..

the password is used as a comparison, it's non-reversible even if someone could obtain, which thay can't, the file it would be useless for that reason (no you can't take a hashed password and enter it into a password field the hash would be hashed again and would not match) .. My guess is you just had an easily hacked password ...
View user's profileSend private messageSend e-mailYahoo Messenger
martinkfreeman
 
 


Joined: 18 May 2005
Posts: 2

PostPosted: Thu May 19, 2005 9:16 am Reply with quoteBack to top

Ooops.. Excuse me, version 1.2.1.
I know what a hash is. The password is in a plain-text file, but I don't know which file it is Crying or Very sad . LiquidSnake, I didn't understood what do you mean by "easily hacked". It was the sort of "jv2jo67", so I guess it is not easy to hack...
View user's profileSend private message
LiquidSnake
past contributor
past contributor


Joined: 23 May 2004
Posts: 267
Location: Middlesboro, KY

PostPosted: Fri May 20, 2005 10:36 am Reply with quoteBack to top

well then please explain how your unhackable password was got by someone, was not from the the files on your server. and update your installation, could be an old apache security issue,
View user's profileSend private messageSend e-mailYahoo Messenger
Joshua Meadows (DemoRic)
support
support


Joined: 29 Dec 2004
Posts: 783
Location: S.E. Kansas

PostPosted: Sun May 22, 2005 3:34 pm Reply with quoteBack to top

If you use the same password for ftp, and it's not sent via ftps or sftp, it has the potential to be pulled out by somebody inbetween (however unlikely). If you have a strong password, and use hashed password storage I'd lean toward a possible keylogging program on your pc.

You might also want to check out http://www.nessus.org/download/
View user's profileSend private messageYahoo MessengerICQ Number
Display posts from previous:      
Post new topic Reply to topic


 Jump to:   



View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum
Powered by phpBB © 2001, 2002 phpBB Group :: FI Theme
All times are GMT