Results 1 to 8 of 8

Thread: Database integrity Check email insecurity?

  1. #1
    pmavrovic is offline New Member
    Join Date
    May 2011
    Posts
    3
    Rep Power
    4

    Exclamation Database integrity Check email insecurity?

    Hello,
    I am currently using Release 7.0.1_GA_3105.UBUNTU10_64 UBUNTU10_64 FOSS edition version of Zimbra and I have received the following database error message.

    atabase errors found.
    /opt/zimbra/mysql/bin/mysqlcheck --defaults-file=/opt/zimbra/conf/my.cnf -S /opt/zimbra/db/mysql.sock -A -C -s -u root --password=xxxxxxxxxxx
    mysql.general_log
    Error : You can't use locks with log tables.
    mysql.slow_log
    Error : You can't use locks with log tables.

    Based on the readme I know to ignore the error above, however the one thing that concerns me is that Zimbra sends the password in the above command line in plain text.

    I have purposely obfuscated the password in the command line above with "XXXXXXX".

    Is there an option in the Zimbra config to make zimbra not send the actual password or at least send one that is hashed?

    I am aware that the email is only coming to the admin account and that assuming one sets up zimbra to use certificate based email, everything will be in an encrypted session. However this still brings concern for those individuals who do not use encryption.
    I feel that this open information may be used as an attack vector to Zimbra.

    Can someone confirm that the password is not in plain text?

    Kind regards,

    Paul Mavrovic, CISSP

  2. #2
    lytledd is offline Elite Member
    Join Date
    Dec 2009
    Location
    Michigan
    Posts
    448
    Rep Power
    5

    Default

    Quote Originally Posted by pmavrovic View Post
    however the one thing that concerns me is that Zimbra sends the password in the above command line in plain text.
    I'm running 7.10 and do not get the password in plain text. It shows the encrypted password.

    Doug
    Ben Franklin quote:

    "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety."

  3. #3
    pmavrovic is offline New Member
    Join Date
    May 2011
    Posts
    3
    Rep Power
    4

    Default

    I will do more research on this , however it does worry me that it sends back a response even with a hashed password.

    Kind regards,

  4. #4
    ar74 is offline Trained Alumni
    Join Date
    Apr 2009
    Posts
    3
    Rep Power
    6

    Default

    Quote Originally Posted by pmavrovic View Post
    Can someone confirm that the password is not in plain text?
    I'm running Release 7.1.1_GA_3196.UBUNTU10_64 UBUNTU10_64 FOSS edition, fresh install.

    I received zmdbintegrityreport with mysql root password in plain text too. I'm going to disable this report...

  5. #5
    dunkirk is offline Active Member
    Join Date
    Nov 2006
    Posts
    31
    Rep Power
    8

    Default

    How do you disable these reports?

  6. #6
    ar74 is offline Trained Alumni
    Join Date
    Apr 2009
    Posts
    3
    Rep Power
    6

    Default

    You can disable it globally:

    zmlocalconfig -e zmdbintegrityreport_disabled=TRUE

    Or take a look in zimbra crontab:
    [...]
    # Report on any database inconsistencies
    #
    0 23 * * 7 /opt/zimbra/libexec/zmdbintegrityreport -m
    [...]


    This script is running with -m option... maybe you can simply suppress email report.

  7. #7
    pmavrovic is offline New Member
    Join Date
    May 2011
    Posts
    3
    Rep Power
    4

    Default Thanks for update!

    Thanks for the update that information is helpful!

  8. #8
    stasouv is offline Active Member
    Join Date
    Jan 2012
    Posts
    41
    Rep Power
    3

    Default

    Hi, I did a little mangle on the

    /opt/zimbra/libexec/zmdbintegrityreport

    and now instead of password it sends me a custom string, for instance "XXXXX".

    To do that, edit the script and find the checkDbs() function... Add two lines of code, as follows

    Code:
      
      my $cmd = "${zimbra_home}/mysql/bin/mysqlcheck";
      $cmd .= " --defaults-file=${mysql_mycnf}";
      $cmd .= " -S ${mysql_socket}";
      $cmd .= " -A -C";
      $cmd .= " -s" unless $debug;
      my $cmd1 = $cmd . " -u root --password=XXXXXXXXXXX";
      $cmd .= " -u root --password=${mysql_root_passwd}";
      $cmd1 .= " --auto-repair" if $options{r};
      $cmd .= " --auto-repair" if $options{r};
    And a little later, change the line

    Code:
        addToReport("can't run $cmd: $!\n");
    to

    Code:
        addToReport("can't run $cmd1: $!\n");
    and a couple of lines later, change

    Code:
        addToReport("$cmd\n");
    to

    Code:
        addToReport("$cmd1\n");
    That should do the trick

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] Database Integrity check report
    By cedbl in forum Administrators
    Replies: 9
    Last Post: 02-06-2008, 02:11 PM
  2. Run Database Integrity Check or Skip during Upgrade?
    By soxfan in forum Administrators
    Replies: 8
    Last Post: 01-26-2008, 12:37 AM
  3. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM
  4. upgrade to 4.0.3 antispam does'nt work
    By lucanannipieri in forum Administrators
    Replies: 14
    Last Post: 11-07-2006, 03:56 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •