From: computerguy at cfl.rr.com (~Kevin Davis³)
Subject: Nessus stores credentials in plain text

Many people would disagree that storing passwords in plaintext is not a
vulnerability.  This includes entities like ISS who were doing the same
thing and once realized it changed it.  I don't see how a plaintext username
and
password is simply "system data" and not also credentials.  And guess what?
Nessus itself has several plugins that check for plaintext passwords in
other applications.
I guess it has a different standard for itself as opposed to other
applications.  For many,
it is not a matter of merely being "nice" to encrypt plaintext passwords,
but a
requirement.  You are giving the keys to the kingdom away almost for free
here.


> ----- Original Message ----- 
> From: "Raymond Morsman" <raymond@....org>
> To: "~Kevin Davis?" <computerguy@....rr.com>
> Cc: <full-disclosure@...ts.netsys.com>
> Sent: Saturday, March 27, 2004 4:08 AM
> Subject: Re: [Full-Disclosure] Nessus stores credentials in plain text
>
>
> > On Sat, 2004-03-27 at 06:01, ~Kevin Davis? wrote:
> > > I have posted this issue to a couple entities like bugtraq and CERT
> > > with no response.  I mentioned this issue to an organization
> >
> > And so it should be. These are not vulnerabilities in the pure sense of
> > the word.
> >
> > What you call credentials are nothing more than system data for Nessus
> > and therefore not an issue for Nessus.
> >
> > You can't use MD5 on systemdata.
> >
> > However, I must agree that it would be nice if this information would be
> > encrypted with the users password.
> >
> > Raymond.
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists