Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Opsware NAS 6.0 reveals MySQL 'root' password

from [security-alert] Network Security [Permanent Link]
Subject: Re: Opsware NAS 6.0 reveals MySQL 'root' password
Date: 27 Jul 2006 06:18:01 -0000 
DETAILS:
--------
The /etc/init.d/mysql script lists the root password of MySQL database:
 
-"INPUT_DB_PASSWORD=mysql123"
 -"bin/mysqladmin -uroot -pmysql123 shutdown"
 
The file permission of file /etc/init.d/mysql will allow all users with a login 
to the NAS server  to view the root password for the database.

The current permissions are :
-rwxrwxr-x    1 root     root         1856 Jul 22 10:43 mysql

WORKAROUND:
-----------
Change the file permissions of /etc/init.d/mysql to limit  read/write and 
execute to the  appropriate user (eg. root).

STEPS:
------
1. Login in to NAS server as root;

2. Change file permissions :
#chmod 700 /etc/init.d/mysql

3. Verify changes to file permissions :
#ls -l /etc/init.d/mysql
 
The file should have the following permissions:

-rwx------    1 root     root         1856 Jul 22 10:43 mysql

NOTES:
------
NAS versions that run on Windows are not affected.

NAS versions, that run on Linux/Solaris and use 
Oracle/SQL Server as their databases are not affected.

NAS versions, that run on Linux/Solaris and use MySQL installed on a host 
different from the core server are not affected.

CONTACT INFORMATION:
--------------------
Please contact security-alert AT opsware dot com,  if you require additional 
information.

Network Automation System Engineering
Opsware, Inc.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  GeoClassifieds Enterprise <= 2.0.5.2 Cross Site Scripting, securityconnection
Next by Date:  Cross-Site Scripting and Local File Inclusion in Phorum, Meftun
Previous by Thread:  Opsware NAS 6.0 reveals MySQL 'root' password, Freeman, Michael
Next by Thread:  SYMSA-2006-008:Password Safe - Lock Password Database Configuration Not Enforced, research
Indexes:  [Date] [Thread] [Top] [All Lists]