tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg.C...@pfizer.com
Subject RE: Security Hole - server.xml
Date Wed, 26 Nov 2003 14:09:49 GMT
> From: Curley, Thomas [mailto:thomas.curley@euroconex.com]

> I'd feel more secure with an MD5 or SHA1 encrypted user and 
> password that relying on unix file level security - what 
> happens if a hacker gets root priv's ?

Er ... Without wishing to flame, but if they've got root priv's they can do
what they like!

They could still sniff the network and get this info what ever the app
server, unless you DB server supports SSL in which case it becomes more
complex.....

Although weblogic appears to encrypt this, if you script the startup, the
admin username/password is still avaliable and hence the encrypted passwords
can be unencrypted (as the app server has to send the password to the DB) -
so you just slow someone down, but if they have some brains will get through
eventually.

Greg


> 
> thanks
> 
> Thomas
> 
> -----Original Message-----
> From: Tim Funk [mailto:funkman@joedog.org]
> Sent: 26 November 2003 13:51
> To: Tomcat Users List
> Subject: Re: Security Hole - server.xml
> 
> 
> The username and password still need decrypted at some time. 
> It just makes 
> the attacker jump through 1 hoop.
> 
> Using file permissions on the config file as well and server 
> security are the 
> ways to go.
> 
> -Tim
> 
> Curley, Thomas wrote:
> 
> > Hi all,
> > 
> > A direct question arising from a security review :-
> > 
> >  Using a datasource it is possible to remove the 
> 'username', 'password' or at least encrypt them using 
> someting like MD5
> > 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> **************************************************************
> *******************************
> This email and any attachments are confidential and intended 
> for the sole use of the intended recipient(s).If you receive 
> this email in error please notify emailadmin@euroconex.com 
> and delete it from your system. Any unauthorized 
> dissemination, retransmission, or copying of this email and 
> any attachments is prohibited. Euroconex does not accept any 
> responsibility for any breach of confidence, which may arise 
> from the use of email. Please note that any views or opinions 
> presented in this email are solely those of the author and do 
> not necessarily represent those of the Company. This message 
> has been scanned for known computer viruses. 
> **************************************************************
> *******************************
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message