Security in 2.0.17.17 [Archive] - TeamSpeak Community Forums

View Full Version : Security in 2.0.17.17

Maxx

11-09-2002, 13:00

Disclaimer: I searched the forum for this issue but didn't find anything related.

I tried the php script at http://www.legion-condor.org/maletin/teamspeak7.php, as described in a posting by Maletin: http://www.teamspeak.org/forums/showthread.php?s=&threadid=1288&highlight=telnet

currently running 2.0.17.17

I connected not providing any login information and found it strange that I saw the Server Password in clear text.

I switched to .20.17, and it doesn't display the password anyword. So either I'm really confused :confused: or this could compromise some people's (not updated) server...

Edit: correct URLs

maletin

11-09-2002, 18:01

in the announce of 2.0.17.17 (http://www.teamspeak.org/forums/showthread.php?s=&threadid=950) i found under fixed:
- si dont display anymore some secret string

i have 2.0.17.20 now, so i'm not sure, but this could be a fixed bug.
but even with superadmin-rights, i can't find the actual serverpassword.

maletin

11-09-2002, 18:03

by the way:
i found the passwords of all registered users in my server.db!

SirEd

13-09-2002, 15:07

there is another bug in the new 2.0.17.20 version ...

When u use 2 servers in de server.ini on differend ports in the .17 version u can edit second server with admin htmls.

In 2.0.17.20 version u only can edit and see default server ....

a least this is what i found out

Jens L.

13-09-2002, 18:04

@maletin

how u can read the server.db ?
thats will be interesting me !

i search a kind to edit and read the server.db with an php script or something

ScratchMonkey

14-09-2002, 09:42

I noticed right away that the DB contained plaintext passwords.

Can you say what Kylix component is used to read/write the DB? With that in hand, we could perhaps write a small command line program to decompile and compile it.

A future version should probably store the passwords through a one-way hash like MD5, as Unix passwords do. That way one can't read user passwords out of the file.

If a user forgets his password, the admin then resets it to a known value that must be changed on the next login.

Saubloed

27-09-2002, 13:44

I think security is very important especially stored passwords.
Improvement sugesstions:
[list=1]
md5 encrypted passwords
filerights 600 and not read rights for everyone (database, logfile and settings file)
[/list=1]

craveytrain

11-06-2004, 00:14

I can't find any information on this since 2002. Is this still the way it works? Mine was in clear textwhen I imported it into MySQL. Did I do something wrong or is it working as intended?