[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] NessusWX stores credentials in plain text
- To: <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: [Full-Disclosure] NessusWX stores credentials in plain text
- From: ~Kevin Davis³ <computerguy@xxxxxxxxxx>
- Date: Sat, 27 Mar 2004 00:02:46 -0500
Software Vendor: NessusWX (nessuswx.nessus.org)
Software Package: NessusWX
Versions Affected: 1.4.4 and possibly earlier versions
Synopsis: Username and password for various accounts stored in unencrypted
plain text
Issue Date: Feb 22, 2004
Vendor Response: Vendor notified December 4, 2003
Vendor claiming to be working on issue
================================================================================
1. Summary
NesussWX is a GPL Windows client for the open source Nessus Vulnerability
scanner.
NessusWX stores the credentials of various types of accounts in unencrypted
plain
text in a configuration file.
2. Problem Description
The user saves specific scan configuration settings in sessions created within
NessusWX. For every session a directory is created named the same as the
session name with a .session appended to it. For instance in the case of a
session named MySession, the default location for the session configuration
files would be in the directory C:\NessusDB\MySession.session. Every session
can save unique Nessus plugin configuration settings. Among these are
username/password settings for various types of accounts. These options are
accessed by selecting a session, and then in the main menu under "Session"
selecting
the "Properties" submenu. This will display a multi-tabbed dialog. Select the
"Plugins" tab and then click on the "Configure Plugins" button. A listbox will
be displayed and near the bottom of the list there will be an item named "Login
Configurations". When the user saves this logon information, both the
usernames
and passwords are saved in plaintext in the above specified path in a file
named
preferences. Further,after this information is saved to the file, if the user
goes
back and removes this information using the GUI, the user interface indicates
that
the information has been removed but this is misleading because it is still
retained in the configuration file. This behavior is somewhat inconsistent.
Sometimes the entire username/password data is retained in the file and
sometimes the first character of each is removed. When setting these
parameters,
the user is also not informed of this sensitive information being stored
insecurely. This potentially affects the following types of accounts:
FTP
IMAP
POP2
POP3
NNTP
SNMP
SMB (Windows NT Domain)
3. Solution
None at this time. The vendor agreed to fix the problem by allowing the user
to
password protect the data and also have the data removed properly. It has been
over 60 days and the patch has not been made available.