lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <29BF1A5D7C62684F8F68D605B70F50770106F8@clubmed.totally-connected.com>
Date: Wed, 21 May 2003 12:17:57 -0700
From: "Ryan Purita" <ryan@...ally-connected.com>
To: <bugtraq@...urityfocus.com>
Subject: Demarc Puresecure v1.6 - Plaintext password issue -


According to Demarc Puresecure's Website;
       
       Demarc PureSecureTM is a one of a kind, Total Intrusion Detection
System (TIDS), which provides an unsurpassed level of comprehensive
security. For the first time you will be able to reliably prevent,
detect, and deter internal and external threats to your organization's
valuable assets with complete confidence, 24 hours a day. Advanced cross
platform compatible technology means PureSecure can be deployed and
scaled in a wide variety of network infrastructures

#PROBLEM
Demarc Puresecure v1.6 stores plaintext password and login information
for the central/remote logging server. (And some spelling mistakes)

<--SNIP-->
#------------------------------------------------------------------
# Database Variables
#------------------------------------------------------------------
# You MUST change these to match a valid account on your database. 
# The database user must have insert/update and drop priviledges.

db_user = "puresecure"
db_password = "abc123"
db_host = "192.168.1.254"
db_name = "IDS"
db_port = "3306"
<--SNIP-->

       Granted this is a restricted user and not root, but any access is
bad access. The account could be used to flood the logging server with
bogus information, update previous information, or drop tables,
compromising the integrity of the SQL database. 
       
       Tested on Demarc Puresecure Professional and Personal editions
v1.6.

Ryan Purita, CISSP
Senior Security Consultant
www.totally-connected.com








Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ