Re: cleartext passwords in Remedy processes' cores

[jmurphy () cnu acsu buffalo edu (Joel Murphy)]

> The security hole in Remedy's product is that a core dump of either the user
> processes (i.e. aruser, notifier) shows the user's password in clear text.

Anyone who is an administrator in Remedy can fetch any password in
plain text from the server with a trivial program using the ARS api.
It also has an annoying feature were the client tool by default saves
your password to file in form that it knows how to decryt.  Don't use
passwords from other systems in Remedy...

Joel Murphy