| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: kevin.davis at mindless.com (~Kevin DavisĀ³) Subject: Nessus stores credentials in plain text Q. Does Nessus use username and password data and store it in plaintext locally even after the client connections are long gone? A. Yes. If is not ok for vulnerability scanners like ISS and others to do this, why is it ok for Nessus to do this? ----- Original Message ----- From: "Raymond Morsman" <raymond@....org> To: "~Kevin Davis?" <computerguy@....rr.com> Cc: <full-disclosure@...ts.netsys.com> Sent: Sunday, March 28, 2004 4:27 PM Subject: Re: [Full-Disclosure] Nessus stores credentials in plain text > On Sat, 2004-03-27 at 17:47, ~Kevin Davis? wrote: > > Many people would disagree that storing passwords in plaintext is not a > > vulnerability. This includes entities like ISS who were doing the same > > thing and once realized it changed it. I don't see how a plaintext username > > and > > password is simply "system data" and not also credentials. And guess what? > > Nessus itself has several plugins that check for plaintext passwords in > > other applications. > > Q: Does Nessus use this data for its own persona-check? > A: No, it uses it for client connections. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists