Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: General :: web4928.htm

CentraOne insecure secret log



18th Dec 2001 [SBWID-4928]
COMMAND

	CentraOne insecure secret log

SYSTEMS AFFECTED

	Current version

PROBLEM

	zedfly found following :
	

	Centra is a Web-based product  designed  to  facilitate  e-learning  and
	collaboration. By default, when the  application  is  launched,  several
	log files are created within one of the application\'s  sub-directories.
	These log files are not  protected  and  contain  sensitive  information
	about the user, his/her machine and  the  connected  network;  including
	the proxy server  name,  port,  exception  list  and  a  base64  encoded
	username / password string. Base64 is not an encryption  method  and  it
	is, therefore, trivial to decode the clear text username and password.
	

	This  information  could  easily  be  used  to  successfully  launch  an
	impersonation a ttack on related systems participating  in  the  user\'s
	network by both internal and external users as Centra technical  support
	frequently request that these files  be  e-mailed  and  external  facing
	devices such as remote access devices and  secure  web  sites  typically
	use the same username / password combination.

SOLUTION

	Nothing yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH