Larry W. Cashdollar wrote: > > I am releasing this a bit early as the vendor has been aware of this issue > for a while now. [...] > The webserver administrator password is stored clear-text in a world > readable file. A local user can use the webserver admin password to gain > control of (by default) root owned xitami process. The server can then be > reconfigured by the malicious user (locally unless configured to allow > remote administration) to read sensitive system files and execute commands > as root. [...] On FreeBSD, the Xitami port installs in a way that Xitami has only its default configuration and will not run automatically; the user has to complete the installation manually. The intention being, of course, that he/she will configure the program first, including the security matters. You are right, however, if that's not done but Xitami is simply started, then it is insecure. I'll add a more descriptive warning to the port.
