Xitami 2.4 through 2.5 b4 stores the Administrator password in plaintext in the default.aut file, whose default permissions are world-readable, which allows remote attackers to gain privileges.
Xitami web servers versions 2.4 through 2.5 b4 are vulnerable to a critical security flaw. This vulnerability allows remote attackers to retrieve the administrator password stored in plaintext, granting them unauthorized access and control over the server.
Step 1: Reconnaissance: The attacker identifies a vulnerable Xitami web server (versions 2.4-2.5b4). This can be done through port scanning (port 80 or 8080) and banner grabbing.
Step 2: File Retrieval: The attacker requests the default.aut file from the web server. This is a simple HTTP GET request to the file's location (e.g., http://<target>/default.aut).
Step 3: Password Extraction: The attacker receives the default.aut file, which contains the administrator password in plaintext.
Step 4: Privilege Escalation: The attacker uses the extracted administrator credentials to log into the Xitami web server's administrative interface. This allows them to control the server, potentially leading to data theft, system compromise, or further attacks.
The vulnerability stems from Xitami's insecure storage of the administrator password. The software writes the password in plaintext to the default.aut file. This file, by default, has world-readable permissions. This means any user or process on the system, or any remote attacker with network access, can read the file and obtain the administrator password. The root cause is a failure to implement secure password storage practices, such as hashing and salting, and a failure to properly restrict file permissions. There is no complex logic flaw, just a fundamental security misconfiguration.