Readable database password in BASServer.props

If you have questions or if you want to share your opinion about Aware IM post your message on this forum
Post Reply
nhofkes
Posts: 94
Joined: Mon Sep 07, 2020 6:03 am
Location: Netherlands

Readable database password in BASServer.props

Post by nhofkes »

I noticed that the BASServer.props contains the password for the database root user in a readable form (i.e. non-encrypted). This means that anyone with access to that file can see the password and therefore access the database. Is this how it is supposed to be? To me it seems a potential security issue.
Of course I realize that in order to access the .props file, you need to have access to the server and if someone has already access to the server, there may be other ways to hack into the database (or cause other problems). Still, it surprised me that the password was clearly spelled out in a plain text file.
Is there any way to resolve this? I tried to modify the file and simply remove the password, but that just resulted in the AIM Server failing to start (with a rather ungraceful exception error).
Niels
(V9.0 build 3241 - MariaDB - Windows)
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Readable database password in BASServer.props

Post by hpl123 »

nhofkes wrote: Mon Sep 27, 2021 8:42 pm I noticed that the BASServer.props contains the password for the database root user in a readable form (i.e. non-encrypted). This means that anyone with access to that file can see the password and therefore access the database. Is this how it is supposed to be? To me it seems a potential security issue.
Of course I realize that in order to access the .props file, you need to have access to the server and if someone has already access to the server, there may be other ways to hack into the database (or cause other problems). Still, it surprised me that the password was clearly spelled out in a plain text file.
Is there any way to resolve this? I tried to modify the file and simply remove the password, but that just resulted in the AIM Server failing to start (with a rather ungraceful exception error).
This IS a security issue and there has been a active feature request to fix this for many years. The logic from Awaresoft if I remember correctly is, the server should be secure so no unauthorized users can access the server and then isn´t that bad and I can understand that but I would still prefer to have this fixed :).
Henrik (V8 Developer Ed. - Windows)
Post Reply