Next Page >>
clear text
certificate, so that there can be no "man in the middle" (servers
usually don't verify client certificates).
The problem discussed in this writeup is caused by a software flaw.
The flaw allows an attacker to inject client commands into an SMTP
session during the unprotected plaintext SMTP protocol phase (more
on that below), such that the server will execute those commands
during the SMTP-over-TLS protocol phase when all communication is
supposed to be protected.
The injected commands could be used to steal the victim's email or
========================================================================
Vulnerability Affecting FireGPG Passphrase and Cleartext Recovery
10/20/2008
Abstract
FireGPG is a Firefox extension that provides a front-end to GPG,
allowing webmail users to conveniently exchange GPG messages from
Firefox.
Background:
For most web application logins a user fills out an HTTP form, which sets up the user with a session cookie. The cookie content is merely a session ID, which allows the server-side application to match incoming requests to a specific user and session. If the cookie gets compromised, such as using XSS, the attacker might be able to impersonate the user for the duration of the session but it typically does not allow the attacker to obtain the user's login credentials.
Vulnerability:
The web management interface of Citrix NetScaler stores the user's credentials in an encrypted form in the cookie, namely values ns1 and ns2. In addition the cookie contains other encrypted information in values ns3, ns4, and ns5. Since the encryption is a simple XOR with a fixed key stream it is possible to determine parts of the key stream by XOR'ing a known plaintext with its corresponding ciphertext. This in turn allows the attacker to recover the plaintext form of the user's credentials by applying the key stream to cookie values ns1 and ns2. Furthermore, the cipher does not in any way pad the plaintext before it gets encrypted so the length of the ciphertext is equal to the length of the plaintext, which also provides a clue about the plaintext.
There are several approaches to obtain the ciphertext for some known plaintext:
* Log into the management console with the attacker's own credentials (if the attacker is a configured user, even with minimal privileges) and analyze his own cookie.
* Make an educated guess about the username contained in ns1. (As an example, the default root user on NetScaler is "nsroot".)
OpenSSH Security Advisory: cbc.adv
Regarding the "Plaintext Recovery Attack Against SSH" reported as
CPNI-957037[1]:
The OpenSSH team has been made aware of an attack against the SSH
protocol version 2 by researchers at the University of London.
Unfortunately, due to the report lacking any detailed technical
description of the attack and CPNI's unwillingness to share necessary
information, we are unable to properly assess its impact.
Furthermore with every "authentication" attempt to the server the attacker
gains knowledge of the administrative password.
The password for the "SuperUser" is sent from the TSA server to the client
in
cleartext in the following way:
Name=SuperUser Password=072 175 173 176 173 177 181
Well, it is exacrly as it appears above. It is the "SuperUser"'s account
name and
- -----------------------------------------------------------------------
iViZ Techno Solutions Pvt. Ltd.
http://www.ivizsecurity.com
- -----------------------------------------------------------------------
* Title: Hewlett-Packard BIOS Plain Text Password Disclosure
* Date: 25/08/2008
* Software: Hewlett-Packard BIOS
* Vendor Bug Tracker : SSRT080104
Introduction:
-------------
The OKI C5510MFP printer offers a web interface for the configuration.
Certain pages require higher privileges for making changes. However, the
password required for accessing these pages is sent to the client in
clear text by the printer. Furthermore, the password can be set without
prior authentication. Consequently, the whole configuration can be
changed without knowing the password.
Vulnerable:
- Session fixation
- Session impersonation
- Remote buffer overflow
- Privilege escalation in two applications
- Missing authentication in configuration panel
- Admin password is delivered in plaintext inside the server response
- Cookies are set for root path, not application path
- Crawler endless loop
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
----------------------------
evalsmsi 2.1.03 contains multiple vulnerabilities.
1 - Insecure storage of password
The passwords are stored in plaintext in the database.
table : authentification
column: password
2 - Authentication Bypass
23/tcp open telnet
80/tcp open http
Port 80 gives access through an HTML interface to the configuration menu as would be expected, but although you can control access to that interface using a password, there is no control over the telnet port. So, telnetting to port 23 (on is default IP 192.168.0.1) the users get automatically access to the filesystem, by providing no credentials at all. Now the file system of the device may be used for malicious communication and temporary data storage. Too, a user may download the upgrade firware's HTML code from the www directory and modify it locally so allow other files than IMGs to be uploaded and replace the existing firmware, making the device useless.
Also, one can view the contents of /etc/htpasswd file, where everything is in plaintext, and retrieve the web-based administrator's (admin) password. Some of the possible implications, that can be triggered from the web-interface, but not limited to the following, are:
1. Intruders are now capable to open the configuration page and go through the submenus where they can get the wireless key in use (the wireless key is being displayed in plaintext, as well)
2. They can perform a trivial DoS attack (factory restart the modem and everything stops working) similarly from the telnet session, by issuing the command "reboot" the device will obey and it will restart itself
3. They can change configurations and policies for clients causing confusion
4. Or they could download a backup copy of the configuration file for the device (the same file can be obtained by viewing the contents of "/tmp/nvram"); by viewing that file one can easily extract the ADSL account logins or any other information is curious about, as everything is stored in plaintext - once again)
> connection.
>
>> > The usage pattern where the attack is most likely to succeed is where an
>> > automated connection is configured to retry indefinitely in the event of
>> > errors. In this case, it might be possible to recover as much as 14 bits
>> > of plaintext per hour
[...]
>> Given the amount of data pumped down the typical automated connection
>> per hour, this is hardly anything to worry about .. surely ?
>
> That depends on the data that is being transferred. If it includes
> Based on the description contained in the CPNI report and a slightly
> more detailed description forwarded by CERT this issue appears to be
> substantially similar to a known weakness in the SSH binary packet
> protocol first described in 2002 by Bellare, Kohno and Namprempre[2].
> The new component seems to be an attack that can recover 14 bits of
> plaintext with a success probability of 2^-14
Could someone please help the uncomprehending [i.e. me :-)] understand
why or whether this is anything to be worried about at all ?
Quick calculator session :
CVE-2011-0435
Insufficient checks in bw_per_month.php can lead to bandwidth
usage information disclosure.
CVE-2011-0436
After a registration, passwords are sent in cleartext
email messages.
CVE-2011-0437
Authenticated users could delete accounts using an obsolete
interface which was incorrectly included in the package.
Versions Affected:
2.0.0.RELEASE to 2.0.5.SR01
2.1.0.RELEASE to 2.1.1.SR01
Description:
tc Server allows users to store the passwords used for JMX authentication in an obfuscated form for organizations where storing passwords in plain text is not permitted. The JMX authentication implementation was incorrectly allowing users to authenticate using the password in either its plain text form or its obfuscated form, bypassing the benefit of obfuscation.
Mitigation:
If you are not using password obfuscation, then you are not affected by this issue.
Users of 2.0.x may mitigate this issue by upgrading to 2.0.6.RELEASE.
Users of 2.1.x may mitigate this issue by upgrading to 2.1.2.RELEASE.
application or server-scoped variables. Since these
variables should be inaccessible by the user, it is not
uncommon to store sensitive data in them.
Exploiting this vulnerability requires modification of the
serialized view object, which is not stored in a plaintext
format. The Deface tool[12] can be used to provide
proof-of-concept attacks.
Remediation Steps:
NetSaro Enterprise Messenger Server Plaintext Password Storage Vulnerability
CVSS Risk Rating: 4.6 (Medium)
Product: NetSaro Enterprise Messenger Server
Application Vendor: SEM Software
Vendor URL: http://www.netsaro.com/
9. *Report Timeline*
. 2009-06-04:
Core Security Technologies notifies the WordPress team of the
vulnerabilities (security@wordpress.org) and offers a technical
description encrypted or in plain-text. Advisory is planned for
publication on June 22th.
. 2009-06-08:
Core notifies again the WordPress team of the vulnerability.
Hi Stefan,
> linux norman internet update deamon (niu) sends our
> corporate license key in cleartext over http when the
> first update is triggered.
Similar problems (use of insecure channels) was reported on June 9,
2009 with their Windows software.
Jeff
Baidu Hi IM software parsing plaintext stack overflow
-- CVE ID:
Not assigned
-- Affected Vendors:
Baidu
-- Affected Products:
Baidu Hi IM software
//OK[0,17,16,8,15,14,8,13,-3,12,11,8,10,9,8,7,0,6,5,0,4,3,8,2,1,1,["com.ca.arcflash.ui.client.model.TrustHostModel/1126245943",
"com.extjs.gxt.ui.client.data.RpcMap/3441186752","port","java.lang.Integer/3438268394","Selected","java.lang.Boolean/476441737",
"hostName","java.lang.String/2004016611","RGOD_9SG","uuid","1a580961-1aa7-4225-b3aa-a522649c16ec","type",
"user","Administrator","password","MY_PASSWORD","Protocol"],0,5] <--------------------
Clear text! Clear text!!!
Username -> Administrator
Password -> MY_PASSWORD
A remote attacker could then login to the affected application
Intro
----
Roundcube Webmail is a browser-based IMAP client that uses
"chuggnutt.com HTML to Plain Text Conversion" library to convert
HTML text to plain text, this library uses the preg_replace PHP
function in an insecure manner.
Vulnerable versions:
Round Cube RoundCube Webmail 0.2-3 beta
application or server-scoped variables. Since these
variables should be inaccessible by the user, it is not
uncommon to store sensitive data in them.
Exploiting this vulnerability requires modification of the
serialized view object, which is not stored in a plaintext
format. The Deface tool[12] can be used to provide
proof-of-concept attacks.
Remediation Steps:
FGA-2008-16: EMC Dantz Retrospect 7 backup Client PlainText Password Hash
Disclosure Vulnerability
http://www.fortiguardcenter.com/advisory/FGA-2008-16.html
July 20, 2008
-- Affected Vendors:
EMC
-- Affected Products:
EMC Dantz Retrospect 7 backup Client 7.5.116
*Report Timeline*
. 2008-05-02: Initial notification sent to the vendor, offering the
CORE-2008-0415 advisory draft in plain-text or encrypted.
. 2008-05-05: Vendor acknowledges and requests the draft in plain text.
. 2008-05-05: Core sends the draft.
. 2008-05-09: Vendor requests a more detailed description of the steps
to reproduce the bug.
. 2008-05-09: Core sends a more detailed description of the steps to
Microsoft Office Outlook is a personal information manager. It is often
mainly used as an e-mail application, but it also includes a calendar,
task manager, contact manager, note taking, a journal and web browsing.
Outlook supports various e-mail formats, including plain text, HTML and
TNEF. TNEF is a proprietary format used by Microsoft Outlook and
Microsoft Exchange Server. TNEF messages or TNEF streams exist of
message and/or attachment attributes. These attributes contain basic
properties, such as message subject, date sent and attachment title
(file name). Additional attributes can be set using MAPI properties,
Cyberoam SSL VPN Client - Plain-text Storage of Username and Password
Vulnerability Summary:
Product: Cyberoam SSL VPN Client v1.0
Vendor: eLiteCore
Website: http://www.cyberoam.com/
Platform: Windows
Vulnerability Classification: Insecure Storage of User Credentials
Issue Fixed in Version: Cyberoam SSL VPN 9.6.0.78
Issue Discovered By: Wasim Halani (washal)
+ Acceptable Formats
* Open Document
* PDF
* Plain Text
* RTF
+ Agenda
* beginning of proposals : now
Application: mChek 3.4 by http://www.mchek.com/
Platform: Symbian OS 9.1, Series 60 v3.0. Other mobile platforms might behave in same way.
Severity: Low
Details:
mChek is an E-commerce application which allows users to store multiple credit/debit cards in the phone and use them when required. mChek (Version 3.4) application stores multiple Credit Card numbers and corresponding bank account information to phone storage without protection. It also provides a feature to Link Bank Accounts to this application. mChek application writes all this information to a file on the phone file system. Upon inspection, it was observed that credit card number and corresponding bank name was written in cleartext to mobile phone storage. It was also observed that after a credit card is deleted from mCheck’s user interface, the credit card number continues to exist in the phone file system. If the phone is lost/stolen or any other phone user is able to read phone’s file system, the stored credit/debit card numbers and Bank name can be compromised.
Vendor Response:
mChek Version 3.4 is an older version of the product. The current version is 3.8. In this version, cardnumber, bankname and phonenumber are not stored in clear text and using encrypted storage. When the credit card information is deleted by the user, it’s deleted from the application DB as well but the behavior is not same in all phone make and models. We are providing enough protection to the sensitive data stored and the security is not dependent on the user ability to read the file system of the phone.
Having said that, even in Version 3.4, only creditcard number and bank name were stored as cleartext. The risk was very low as it is not possible to make a transaction with cardnumber alone. All other sensitive data like exp date for example are encrypted and stored and encryption key never stored in mobile phone and making the information very secure.
- Description
The Communigate Pro webmail framework is prone to a stored Cross Site
Scripting vulnerability through crafted plain text email messages.
- Affected version:
5.2.14 and prior as reported from Communigate:
http://www.communigate.com/cgatepro/History52.html
- Details
This vulnerability can be exploited if an attacker sends a plain text
application or server-scoped variables. Since these
variables should be inaccessible by the user, it is not
uncommon to store sensitive data in them.
Exploiting this vulnerability requires modification of the
serialized view object, which is not stored in a plaintext
format. The Deface tool[12] can be used to provide
proof-of-concept attacks.
Remediation Steps:
Next Page>>
|
