Subject: Opsware NAS 6.0 reveals MySQL 'root' password
Date: Mon, 24 Jul 2006 10:05:04 -0500
Message-ID: <A9909DFFEBC8C5498745592D9899EFAC8B4635@MSPEXBE01.wamnet.inc.>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Opsware NAS 6.0 reveals MySQL 'root' password
Thread-Index: AcavMor2vem0ApxfT6So7cg+9np+Xw==
From: "Freeman, Michael" <mfreeman@multimax.com.>
To: <bugtraq@securityfocus.com.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The Opsware Network Automation System (NAS) version 6.0 installation
places an 'init' style startup script in /etc/init.d/mysqll and places
the 'root' password that you choose for the MySQL MAX database during
installation.=20
The permissions on this small shell script are world readable, allowing
any user of the system to compromise the 'root' MySQL account. This
could reveal network intelligence including stored/shared authentication
credentials for network devices.
