Possible Kolab LDAP configuration information disclosure

Martin Konold martin.konold at erfrakon.de
Tue Apr 20 20:47:36 CEST 2004


Am Tuesday 20 April 2004 04:03 pm schrieb Luca Villani:

Hi

> > What are the access permissions on this file?

> But IMHO storing a password in clear text is a vulnerability tout court,
> even if permission are 400.

Why? If you cannot trust root you are lost anyway.

> > What do you gain? The above encoded pw can also be used to replay...
>
> The above encoded pw is an SSHA encryption of the string
>
> 	averystrongpassword

What is the gain? (It can be abused also in the encoded form)

Yours,
-- martin

Dipl.-Phys. Martin Konold

e r f r a k o n
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
Nobelstrasse 15, 70569 Stuttgart, Germany
fon: 0711 67400963, fax: 0711 67400959
email: martin.konold at erfrakon.de




More information about the users mailing list