I was poking around with this earlier today and found something out that I didn't like much. It's not too big of a deal, since the TeamSpeak binaries are almost without exception installed under a safe, unreachable (by the world, I mean) directory, but it's still something that shouldn't be true.
Anyway, on the teamspeak server, passwords are stored in plaintext. I think that's really stupid. Here's some stuff:
Me creating a user:
(http://sidoh.dark-wire.net/Files/Images/teamspeak_plaintext/01-create_user.jpg)
Success:
(http://sidoh.dark-wire.net/Files/Images/teamspeak_plaintext/02-success.jpg)
Seeing if the user's in the database:
(http://sidoh.dark-wire.net/Files/Images/teamspeak_plaintext/03-user_found.jpg)
Search for the user:
(http://sidoh.dark-wire.net/Files/Images/teamspeak_plaintext/04-searching_for_user.jpg)
User/password found:
(http://sidoh.dark-wire.net/Files/Images/teamspeak_plaintext/05-plaintext_password.jpg)
The password (text):
00006b80 08 08 0a 0c 16 23 35 35 31 00 30 00 <74>65 73 74 .....#551.0.test
00006b90 5f 75 73 65 72 00 74 65 73 74 70 61 73 73 77 6f _user.testpasswo
00006ba0 72 64 00 31 34 31 32 32 30 30 35 31 38 32 38 30 rd.1412200518280
00006bb0 36 39 33 39 00 07 03 40 48 00 00 00 00 00 00 00 6939...@H.......
You can log in to www.sidoh.org:8777 and see for yourself if you feel like it. :)
God you are such a nerd. :P
Quote from: deadly7 on December 14, 2005, 08:32:25 PM
God you are such a nerd. :P
That's a given:
QuoteSidoh
[Sidoh]
Nerd
x86
Hero Member
But that's not the point. The point is the developers of TeamSpeak made it sloppy! :)
Yeah, for this type of software there is no reason to keep passwords in plaintext.
And why did they say PassWord? That looks so silly!
Quote from: iago on December 14, 2005, 08:37:05 PM
Yeah, for this type of software there is no reason to keep passwords in plaintext.
And why did they say PassWord? That looks so silly!
No joke! Damn TSRC2. I wonder if Ventrilo's like this...
Haha, I noticed that too! I thought it looked funny as well. :)
I think they tell you that the passwords are stored in plaintext. Just chmod 400 server.dbs and you have no issues. :)
Quote from: Newby on December 14, 2005, 10:00:54 PM
I think they tell you that the passwords are stored in plaintext. Just chmod 400 server.dbs and you have no issues. :)
Still, what's the point of not hashing them?
Quote from: Sidoh on December 14, 2005, 10:08:30 PM
Quote from: Newby on December 14, 2005, 10:00:54 PM
I think they tell you that the passwords are stored in plaintext. Just chmod 400 server.dbs and you have no issues. :)
Still, what's the point of not hashing them?
It's useless. If someone gets admin on your server, discontinue their access to the file an d change the password. It's a goddamn VoIP server. :P
Quote from: Newby on December 14, 2005, 10:36:19 PM
It's useless. If someone gets admin on your server, discontinue their access to the file an d change the password. It's a goddamn VoIP server. :P
Actually, the risk I was more worried about was if someone who had SSH access to the server seceratively opened the database file in vim and found passwords. If people don't know someone has their password, they can get screwed over (IE -- deleting accounts, etc).
It's still completely unjustifiable to not hash them.
By the way, 400 broke the server. I could connet, but no one else could. I changed it to 555; I'm not sure if that's the most appropriate access or not, though. :)
Edit --
"Hmm" on the 400 breaking the server issue. I don't think that makes much sense. Maybe it's my friend's connection, which could definitely be the case, seeing as he's on satelite internet... :)
Hmm... doesn't make sense.... at all. :|
Quote from: Newby on December 14, 2005, 11:16:30 PM
Hmm... doesn't make sense.... at all. :|
Haha, yeah. It's my friend's connection. His internet BLOWS monkey balls.
555 lets anybody read it, which is bad++. :-/
When passwords need to be stored to be used later, like Gaim, it's understandable to not hash them. There are plenty of reasons, which I don't feel like enumerating. But on the server side, the passwords should never even be KNOWN in plaintext. The password should be hashed before even SENDING it to the server, and also stored in plaintext.
Quote from: iago on December 14, 2005, 11:35:06 PM
555 lets anybody read it, which is bad++. :-/
When passwords need to be stored to be used later, like Gaim, it's understandable to not hash them. There are plenty of reasons, which I don't feel like enumerating. But on the server side, the passwords should never even be KNOWN in plaintext. The password should be hashed before even SENDING it to the server, and also stored in plaintext.
My thoughts exactly. :)
Quote from: Sidoh on December 14, 2005, 08:37:55 PM
Quote from: iago on December 14, 2005, 08:37:05 PM
Yeah, for this type of software there is no reason to keep passwords in plaintext.
And why did they say PassWord? That looks so silly!
No joke! Damn TSRC2. I wonder if Ventrilo's like this...
Haha, I noticed that too! I thought it looked funny as well. :)
Ventrilo's nothing like that, and with Ventrilo, I haven't found out how to write scripts for it as I have TS.