STAC Insecure

STAC Replica for NT Passwords Are Stored In Clear Text

Reported May 7, 1998 by Steven Kastl

Systems Affected

Windows NT


STAC International markets a product for various OS" called Replica. It is a backup/restore/disaster-recovery tool. This message deals specifically with the version for NT.


Passwords are stored in plain text.


With the update to the latest version of Replica (3.05, I believe) there
is a scripting facility for creating scripts to backup systems. These
scripts are created via an application that presents the user with a
series of questions about the backup operation to be performed. Part of
this "config" information is "Username:" and "Password:" (Both username
and password need to be entered twice--which makes extraction even
easier). A check of the resulting file shows it contains the password in
clear text.


Don"t use the scripting engine or else be *overly protective* of these
files. My current workaround is to call the files across (via FTP) from a
secure server behind a firewall to a protected directory on the server and
then execute them. Once execution is complete, delete them.

Not very sexy, but it works (kinda -- there are extenuating circumstances

Overall, I would say the product is exceptional at what it does. I can
recover a completely obliterated box in about 15 minutes (including
*everything*). YMMV

But this issue is a wart on an otherwise beautiful package. I hope they
can get this fixed soon.

To learn more about new NT security concerns, subscribe to NTSD.

Reported by: Steve Kastl
Posted here at NTSecurity.Net
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.