BugTraq
Re: Opsware NAS 6.0 reveals MySQL 'root' password Jul 27 2006 06:18AM
security-alert opsware com
DETAILS:

--------

The /etc/init.d/mysql script lists the root password of MySQL database:

-"INPUT_DB_PASSWORD=mysql123"

-"bin/mysqladmin -uroot -pmysql123 shutdown"

The file permission of file /etc/init.d/mysql will allow all users with a login to the NAS server to view the root password for the database.

The current permissions are :

-rwxrwxr-x 1 root root 1856 Jul 22 10:43 mysql

WORKAROUND:

-----------

Change the file permissions of /etc/init.d/mysql to limit read/write and execute to the appropriate user (eg. root).

STEPS:

------

1. Login in to NAS server as root;

2. Change file permissions :

#chmod 700 /etc/init.d/mysql

3. Verify changes to file permissions :

#ls -l /etc/init.d/mysql

The file should have the following permissions:

-rwx------ 1 root root 1856 Jul 22 10:43 mysql

NOTES:

------

NAS versions that run on Windows are not affected.

NAS versions, that run on Linux/Solaris and use

Oracle/SQL Server as their databases are not affected.

NAS versions, that run on Linux/Solaris and use MySQL installed on a host different from the core server are not affected.

CONTACT INFORMATION:

--------------------

Please contact security-alert AT opsware dot com, if you require additional information.

Network Automation System Engineering

Opsware, Inc.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus