[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Nessus stores credentials in plain text
- To: "Raymond Morsman" <raymond@xxxxxxx>
- Subject: Re: [Full-Disclosure] Nessus stores credentials in plain text
- From: ~Kevin Davis³ <kevin.davis@xxxxxxxxxxxx>
- Date: Sat, 27 Mar 2004 07:50:14 -0500
Many people would disagree that storing passwords in plaintext is not a
vulnerability. This includes entities like ISS who werre doing the same
thing and once realized it changed it. For many, it is not a matter of
merely being "nice" to encrypt plaintext passwords, but a requirement. You
are giving the keys to the kingdom away for free here.
----- Original Message -----
From: "Raymond Morsman" <raymond@xxxxxxx>
To: "~Kevin Davis³" <computerguy@xxxxxxxxxx>
Cc: <full-disclosure@xxxxxxxxxxxxxxxx>
Sent: Saturday, March 27, 2004 4:08 AM
Subject: Re: [Full-Disclosure] Nessus stores credentials in plain text
> On Sat, 2004-03-27 at 06:01, ~Kevin Davis³ wrote:
> > I have posted this issue to a couple entities like bugtraq and CERT
> > with no response. I mentioned this issue to an organization
>
> And so it should be. These are not vulnerabilities in the pure sense of
> the word.
>
> What you call credentials are nothing more than system data for Nessus
> and therefore not an issue for Nessus.
>
> You can't use MD5 on systemdata.
>
> However, I must agree that it would be nice if this information would be
> encrypted with the users password.
>
> Raymond.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html