Security in 2.0.17.17

Maxx · #1 11-09-2002, 14:00

Disclaimer: I searched the forum for this issue but didn't find anything related.

I tried the php script at http://www.legion-condor.org/maletin/teamspeak7.php, as described in a posting by Maletin: http://forum.teamspeak.com/show...ghlight=telnet

currently running 2.0.17.17

I connected not providing any login information and found it strange that I saw the Server Password in clear text.

I switched to .20.17, and it doesn't display the password anyword. So either I'm really confused

or this could compromise some people's (not updated) server...

Edit: correct URLs

maletin · #2 11-09-2002, 19:01

in the announce of 2.0.17.17 i found under fixed:
- si dont display anymore some secret string

i have 2.0.17.20 now, so i'm not sure, but this could be a fixed bug.
but even with superadmin-rights, i can't find the actual serverpassword.

maletin · #3 11-09-2002, 19:03

by the way:
i found the passwords of all registered users in my server.db!

SirEd · #4 13-09-2002, 16:07

there is another bug in the new 2.0.17.20 version ...

When u use 2 servers in de server.ini on differend ports in the .17 version u can edit second server with admin htmls.

In 2.0.17.20 version u only can edit and see default server ....

a least this is what i found out

Jens L. · #5 13-09-2002, 19:04

@maletin

how u can read the server.db ?
thats will be interesting me !

i search a kind to edit and read the server.db with an php script or something

ScratchMonkey · #6 14-09-2002, 10:42

I noticed right away that the DB contained plaintext passwords.

Can you say what Kylix component is used to read/write the DB? With that in hand, we could perhaps write a small command line program to decompile and compile it.

A future version should probably store the passwords through a one-way hash like MD5, as Unix passwords do. That way one can't read user passwords out of the file.

If a user forgets his password, the admin then resets it to a known value that must be changed on the next login.

Saubloed · #7 27-09-2002, 14:44

I think security is very important especially stored passwords.
Improvement sugesstions:[list=1][*]md5 encrypted passwords[*]filerights 600 and not read rights for everyone (database, logfile and settings file)[/list=1]

craveytrain · #8 11-06-2004, 01:14

I can't find any information on this since 2002. Is this still the way it works? Mine was in clear textwhen I imported it into MySQL. Did I do something wrong or is it working as intended?