SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Database)  >   PrimeBase SQL Database Server Vendors:   SNAP Innovation GmbH
(Vendor Issues Fix) PrimeBase SQL Database Server Discloses Database Passwords to Local Users
SecurityTracker Alert ID:  1010204
SecurityTracker URL:  http://securitytracker.com/id/1010204
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 18 2004
Impact:   Disclosure of authentication information, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.2
Description:   A vulnerability was reported in the PrimeBase SQL Database Server. A local user can view the database admin password.

Vapid Labs reported that the database server stores the admin password in clear text in the 'password.adm' file in the server folder.

The report stated that because of typical default umask settings, any local user may be able to view the password on typical system installations.

It is also reported that the software is configured with a default "Administrator" account that requires no password (although the documentation recommends that the user set the password during installation).
Impact:   A local user can view the database admin password.
Solution:   The vendor has reportedly issued a fix, available at:

http://www.Primebase.com/ftp/releases/4229/
Vendor URL:  www.primebase.de/en/products/coretech/ds/index.html (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Nov 22 2003 PrimeBase SQL Database Server Discloses Database Passwords to Local Users


 Source Message Contents
Date:  Mon, 17 May 2004 20:27:38 -0400 (EDT)
Subject:  Vapid Labs Security Advisory for PrimeBase Database 4.2 (update)



This is in response to bugtraq id 8771,9087.


---------- Forwarded message ----------
Date: Fri, 14 May 2004 07:19:18 -0700
From: Barry Leslie
To: Larry W. Cashdollar <lwc@vapid.ath.cx>
Subject: Re: WG: Vapid Labs Security Advisory for  PrimeBase Database 4.2

Hi,

I am not sure if you are aware or not but there is a new version of
PrimeBase available at:
http://www.Primebase.com/ftp/releases/4229/
that addresses all of the concerns that you have reported.

Thank you for reporting these things to us.

Barry

> From: "Larry W. Cashdollar" <lwc@vapid.ath.cx>
> Date: Wed, 29 Oct 2003 15:37:50 -0500 (EST)
> To: Barry Leslie <barry.leslie@primebase.com>
> Subject: Re: WG: Vapid Labs Security Advisory for  PrimeBase Database 4.2
>
>
> You guys should also hash the password stored in password.adm.  Storing
> passwords in clear text is dangerous.  Users should also be instructed to
> change the file permissions to something more restrictive.. like read only
> for that user...
>
> # chmod 400 password.adm
>
> -- Larry
>


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC