[NEWS] Dangerous Information in CentraOne Log Files (Vendor Response)
From: support@securiteam.comDate: 12/27/01
- Previous message: support@securiteam.com: "[UNIX] QwikAd Allows Malicious SQL Code Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 27 Dec 2001 17:18:42 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Dangerous Information in CentraOne Log Files (Vendor Response)
------------------------------------------------------------------------
SUMMARY
This security bug applies to CentraOne v5.2 customers using Centra Smart
Connect patch CEN5.2-03 (released November 11, 2001) and Centra ASP
customers. For both sets of customers, it only applies to users who
connect to the Centra Server through a proxy server that has Basic
Authentication enabled.
When the client launches, a log file is created on the end user's local
PC. If the user is connecting through a proxy server with Basic
Authentication enabled, the log file contains information about the proxy
server including a base64 encoded username / password string. This
information could be used to launch an impersonation attack by an
individual who has physical access to the log files on the end user's
client PC.
DETAILS
Presentation of the vulnerability:
Below is a list of steps you can take to avoid this problem. Please
contact Centra Customer Support for more details.
NOTE: Only applicable to customers using CentraOne 5.2 with Patch
CEN5.2-03 and Centra ASP services
- Upgrade to CentraOne 5.3 General Availability, which is not susceptible
to this problem and is available from Centra today.
- Install the patch designed to address this, which will be available for
download from the Centra customer support web site on or before Friday,
January 4.
- Centra will be adding a patch to the Centra eMeeting ASP service to
address this bug.
ADDITIONAL INFORMATION
The information has been provided by <mailto:JClark@CENTRA.COM> JClark.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] QwikAd Allows Malicious SQL Code Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
