lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <16ece6650607021223v26de1d4at50fe55d42361b719@mail.gmail.com>
Date: Sun Jul  2 20:23:20 2006
From: clappymonkey at gmail.com (mike kemp)
Subject: Multiple vulnerabilities in TK8 Safe v.3.0.5

Multiple vulnerabilities in TK8 Safe v.3.0.5

July 3, 2006

----

Summary:
TK8 Safe (www.tk8.com) is a password management application, which stores
authentication details (and other sensitive data) in encrypted local
folders. A number of issues have been discovered in version 3.0.5 of the
application that present a risk to the integrity and availability of stored
user data.

Business Impact:
Successful exploitation of the issues discovered could lead to system
unavailability, the overwriting of sensitive data, and unrestricted access
to sensitive data. Attacks against the application require limited technical
knowledge.

Affected products:
TK8 Safe v.3.0.5 Standard and Pro Editions.

----

Description:
TK8 Safe v.3.0.5 allows users to set encrypted data repositories with weak
or null passwords.

Remediation:
Assign a strong password to working folders. The vendor is addressing this
issue in a forthcoming release (expected delivery date October 2006).

Description:
It is possible for a malicious attacker to brute force the password(s) for
protected folder(s). No timeout functionality is instigated, meaning that
although it is impossible for a legitimate user to 'lock out' their account,
it is possible for a malicious attacker (or an automated agent) to have
repeated attempts at directory access.

Remediation:
Upgrade to TK8 Safe v.3.0.6 available from vendor website.

Description:
It is possible for a malicious attacker to overwrite a legitimate directory.


Remdiation:
Upgrade to TK8 Safe v.3.0.6 available from vendor website.

Description:
Insufficient bounds checking is in place within various fields within the
application. By entering a string of sufficient length is is possible to
create a variety a localised application DoS state.

Remdiation:
Upgrade to TK8 Safe v.3.0.6 available from vendor website.

----

Credit:
Vulnerabilities discovered by Michael Kemp (www.clappymonkey.com).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060702/0f99333d/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ