[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <29BF1A5D7C62684F8F68D605B70F50770106F8@clubmed.totally-connected.com>
Date: Wed, 21 May 2003 12:17:57 -0700
From: "Ryan Purita" <ryan@...ally-connected.com>
To: <bugtraq@...urityfocus.com>
Subject: Demarc Puresecure v1.6 - Plaintext password issue -
According to Demarc Puresecure's Website;
Demarc PureSecureTM is a one of a kind, Total Intrusion Detection
System (TIDS), which provides an unsurpassed level of comprehensive
security. For the first time you will be able to reliably prevent,
detect, and deter internal and external threats to your organization's
valuable assets with complete confidence, 24 hours a day. Advanced cross
platform compatible technology means PureSecure can be deployed and
scaled in a wide variety of network infrastructures
#PROBLEM
Demarc Puresecure v1.6 stores plaintext password and login information
for the central/remote logging server. (And some spelling mistakes)
<--SNIP-->
#------------------------------------------------------------------
# Database Variables
#------------------------------------------------------------------
# You MUST change these to match a valid account on your database.
# The database user must have insert/update and drop priviledges.
db_user = "puresecure"
db_password = "abc123"
db_host = "192.168.1.254"
db_name = "IDS"
db_port = "3306"
<--SNIP-->
Granted this is a restricted user and not root, but any access is
bad access. The account could be used to flood the logging server with
bogus information, update previous information, or drop tables,
compromising the integrity of the SQL database.
Tested on Demarc Puresecure Professional and Personal editions
v1.6.
Ryan Purita, CISSP
Senior Security Consultant
www.totally-connected.com
Powered by blists - more mailing lists