[Full-Disclosure] NessusWX stores credentials in plain text

From: ~Kevin Davisł (computerguy_at_cfl.rr.com)
Date: 03/27/04

  • Next message: Troy: "Re: [Full-Disclosure] E-mail virus free tags (Was: SHUT THE F**K UP)" 
    To: <full-disclosure@lists.netsys.com>
Date: Sat, 27 Mar 2004 00:02:46 -0500

    Software Vendor: NessusWX (nessuswx.nessus.org)
    Software Package: NessusWX
    Versions Affected: 1.4.4 and possibly earlier versions
    Synopsis: Username and password for various accounts stored in unencrypted plain text

    Issue Date: Feb 22, 2004

    Vendor Response: Vendor notified December 4, 2003
       Vendor claiming to be working on issue

    ================================================================================

    1. Summary

    NesussWX is a GPL Windows client for the open source Nessus Vulnerability scanner.
    NessusWX stores the credentials of various types of accounts in unencrypted plain
    text in a configuration file.

    2. Problem Description

    The user saves specific scan configuration settings in sessions created within
    NessusWX. For every session a directory is created named the same as the
    session name with a .session appended to it. For instance in the case of a
    session named MySession, the default location for the session configuration
    files would be in the directory C:\NessusDB\MySession.session. Every session
    can save unique Nessus plugin configuration settings. Among these are
    username/password settings for various types of accounts. These options are
    accessed by selecting a session, and then in the main menu under "Session" selecting
    the "Properties" submenu. This will display a multi-tabbed dialog. Select the
    "Plugins" tab and then click on the "Configure Plugins" button. A listbox will
    be displayed and near the bottom of the list there will be an item named "Login
    Configurations". When the user saves this logon information, both the usernames
    and passwords are saved in plaintext in the above specified path in a file named
    preferences. Further,after this information is saved to the file, if the user goes
    back and removes this information using the GUI, the user interface indicates that
    the information has been removed but this is misleading because it is still
    retained in the configuration file. This behavior is somewhat inconsistent.
    Sometimes the entire username/password data is retained in the file and
    sometimes the first character of each is removed. When setting these parameters,
    the user is also not informed of this sensitive information being stored
    insecurely. This potentially affects the following types of accounts:

    FTP
    IMAP
    POP2
    POP3
    NNTP
    SNMP
    SMB (Windows NT Domain)

    3. Solution

    None at this time. The vendor agreed to fix the problem by allowing the user to
    password protect the data and also have the data removed properly. It has been
    over 60 days and the patch has not been made available.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Troy: "Re: [Full-Disclosure] E-mail virus free tags (Was: SHUT THE F**K UP)"