[prev in list] [next in list] [prev in thread] [next in thread]
List: ntbugtraq
Subject: Dangerous information in CentraOne Log files,
From: zedfly () HUSHMAIL ! COM
Date: 2001-12-17 14:17:05
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Vendor Contacted: 12/7/01
Date Published: 12/17/01
Bugtraq ID: -
CVE CAN: -
Title: Dangerous information being recorded in CentraOne Log files, possible user \
impersonation
Severity: Medium
Remote Exploit: No
Local Exploit: Yes
Vulnerability Description:
Centra is a Web-based product designed to facilitate e-learning and collaboration. \
By default, when the application is launched, several log files are created within \
one of the application's sub-directories. These log files are not protected and \
contain sensitive information about the user, his/her machine and the connected \
network; including the proxy server name, port, exception list and a base64 encoded \
username / password string. Base64 is not an encryption method and it is, therefore, \
trivial to decode the clear text username and password.
This information could easily be used to successfully launch an impersonation attack \
on related systems participating in the user's network by both internal and external \
users as Centra technical support frequently request that these files be e-mailed and \
external facing devices such as remote access devices and secure web sites typically \
use the same username / password combination.
Solution/Vendor Information/Workaround:
Vendor contacted on 12/7/01. Having received no response by 12/17, vulnerability \
published.
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com
wlsEARECABsFAjwd/fsUHHplZGZseUBodXNobWFpbC5jb20ACgkQUqpz3LoqFkkFdwCf
ROqyi8jce6/+Lt8QVQiYOdTwYL4An2j18u14T/dJ4ld9ybsg12gWBVxy
=MAoN
-----END PGP SIGNATURE-----
============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a
ntivirus.com/smex2000_rebate
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic