======PrimeBase SQL Database Server ClearText Password Storage====== //10/20/03//

The PrimeBase SQL Database Server 4.2 stores passwords in clear text, and based on the installation users umask settings maybe readable by all local users.

From the readme.txt file:

"The Admin server will require you to enter your password in a text file called 'password.adm' (in the server folder), before you can continue. NOTE: This is the password for access to the Admin Server only."

Depending on your umask settings (default 022 for root) the "Admin Server" password maybe readable by local users. Also the password is not stored as a hash or encrypted. A malicious user could uses this password to access the web based administration server and compromise the system.

The database also comes with a default "Administrator" account with no password, the documentation does recommend the installer set the Administrator password during installation.

Recommendations: Store the password as a hash in a file read-only by the Admin Server. Disable the Administrator account until a password has been set for it.

References: http://www.primebase.de

Larry Cashdollar
http://vapid.dhs.org