Dangerous information in CentraOne log files - VENDOR RESPONSE

From: JClark@CENTRA.COM
Date: 12/26/01 

Date:         Wed, 26 Dec 2001 12:37:11 -0500
From: JClark@CENTRA.COM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

As a subscriber itself to the NTBugtraq listserv, Centra Software first
became aware of a security vulnerability in several versions of its products
with a posting to the NTBugtraq distribution list. Centra is a vendor
committed not only to providing secure software solutions, but also to
informing its customers immediately of any vulnerabilities it discovers in
its products and, as such, is notifying all NTBugtraq subscribers and
customers with its response to this vulnerability.

If you have additional questions or inquiries, please contact Centra
Customer Support directly at support@centra.com.
Thanks,
- The Centra Customer Support Team

****************************************************************************
*************************************
ORIGINAL POSTING
Date Published: 12/17/01 Bugtraq ID: - CVE CAN: - Title: Dangerous
information being recorded in CentraOne Log files, possible user
impersonation Severity: Medium Remote Exploit: No Local Exploit: Yes
****************************************************************************
*************************************

RESPONSE FROM THE VENDOR, CENTRA SOFTWARE

DESCRIPTION OF VULNERABILITY

This security bug applies to CentraOne v5.2 customers using Centra Smart
Connect patch CEN5.2-03 (released November 11, 2001) and Centra ASP
customers. For both sets of customers, it only applies to users who connect
to the Centra Server through a proxy server which has Basic Authentication
enabled.

When the client launches, a log file is created on the end user's local PC.
If the user is connecting through a proxy server with Basic Authentication
enabled, the log file contains information about the proxy server including
a base64 encoded username / password string. This information could be used
to launch an impersonation attack by an individual who has physical access
to the log files on the end user's client PC.

PREVENTION OF VULNERABILITY

Below is a list of steps you can take to avoid this problem. Please contact
Centra Customer Support for more details.

NOTE: Only applicable to customers using CentraOne 5.2 with Patch CEN5.2-03
and Centra ASP services

- Upgrade to CentraOne 5.3 General Availability, which is not susceptible to
this problem and is available from Centra today.

- Install the patch designed to address this, which will be available for
download from the Centra customer support web site on or before Friday,
January 4.

- Centra will be adding a patch to the Centra eMeeting ASP service to
address this bug.

****************************************************************************
*************************************

============================================================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
============================================================================
Protect your servers with 128-bit SSL encryption!
Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will
learn everything you need to know about using SSL to encrypt your e-commerce
transactions for serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016065650057000
============================================================================

Relevant Pages