Cenzic 232 Patent
Paid Advertising
web application security lab

VMWare Configuration Issue Discloses Site Password

This is almost too ridiculous to post, but there’s a point to it, I promise. There is a pretty funky issue that VMWare has on their site where they basically show the username and password to their drupal install. It’s just so sloppy I barely even want to mention it, except (again) there’s a point here that goes beyond VMWare’s configuration oversight.

Well if you look at the above picture you’ll notice something interesting in their featured partners. Something… not right:


Click to enlarge.

Digging through the source we find the originating code:


Click to enlarge.

Ouch… the server is either mis-configured to render .php extentions as PHP or the PHP include is not ended well. Oops. Now the drupal site password is disclosed. “Okay, boring problem, why are you even talking about it, RSnake?” Here’s why… one of my major problems with database driven web applications is that the password is almost always embedded within the code. At any point, if there is a breech in either the way the code is rendered or if there is something where the server gives up information about the source of the page, the site can be compromised. There’s one saving grace here - the fact it’s an internal database (localhost). But my point remains. Keep your passwords out of the web accessable directory whenever possible.

2 Responses to “VMWare Configuration Issue Discloses Site Password”

  1. apnovi Says:

    Well Said..Ouch indeed! Plus how weak is that password..lol

  2. RSnake Says:

    Hahah… indeed. It looked default to me. It looks like they’ve fixed the issue though. That’s good.

    One of the most interesting parts about ha.ckers.org is that since security is such a small place no matter what company I post about there’s always someone who knows someone who works there and can fix the issue. It’s both comforting and a little disturbing at the same time.