DETAILS: -------- The /etc/init.d/mysql script lists the root password of MySQL database: -"INPUT_DB_PASSWORD=mysql123" -"bin/mysqladmin -uroot -pmysql123 shutdown" The file permission of file /etc/init.d/mysql will allow all users with a login to the NAS server to view the root password for the database. The current permissions are : -rwxrwxr-x 1 root root 1856 Jul 22 10:43 mysql WORKAROUND: ----------- Change the file permissions of /etc/init.d/mysql to limit read/write and execute to the appropriate user (eg. root). STEPS: ------ 1. Login in to NAS server as root; 2. Change file permissions : #chmod 700 /etc/init.d/mysql 3. Verify changes to file permissions : #ls -l /etc/init.d/mysql The file should have the following permissions: -rwx------ 1 root root 1856 Jul 22 10:43 mysql NOTES: ------ NAS versions that run on Windows are not affected. NAS versions, that run on Linux/Solaris and use Oracle/SQL Server as their databases are not affected. NAS versions, that run on Linux/Solaris and use MySQL installed on a host different from the core server are not affected. CONTACT INFORMATION: -------------------- Please contact security-alert AT opsware dot com, if you require additional information. Network Automation System Engineering Opsware, Inc.
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.