Bugtraq mailing list archives

Insecure handling of NetSol maintainer passwords

From: jlewis () LEWIS ORG (jlewis () LEWIS ORG)
Date: Mon, 8 Nov 1999 20:12:49 -0500


Some months ago I began using the crypt-pw Auth Scheme with my
Internic/Network Solutions NIC handle because forging mail to
ineternic.net is just too easy and I don't want my domains messed with.

On Sep 21, 1999 I notified security () networksolutions com that when doing
domain updates with Auth Scheme Crypt-PW, if the clear text password
contains spaces, their processing scripts strip out the password up to the
first space, and then send off notification emails containing the
remainder of the password to the other contacts involved with the domain
being updated.

I was told my report had been passed on to the developers for a fix.
About a month went by and the problem had not been fixed, so I asked about
it again.  On Oct 26, I was told it was still in the hands of the
developers, and it was recommended that I not use a password containing
spaces.

Today, I sent in some updates, and the probem still has not been fixed.

----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  Spammers will be winnuked or
 System Administrator        |  nestea'd...whatever it takes
 Atlantic Net                |  to get the job done.
_________http://www.lewis.org/~jlewis/pgp for PGP public key__________

Current thread:

Re: Netscape Web Publisher, (continued)
- - Re: Netscape Web Publisher nblasgen () NICK REFRACT COM (Nov 07)
  - vwxploit.c unix port Sebastian (Nov 08)
- Windows NT Spooler Service. Avri Schneider (Nov 07)
- [w00giving '99 #2] IMAIL POP server Shok (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Blue Boar (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Jefferson Ogata (Nov 08)
- MS Outlook alert : Cuartango Active Setup Elias Levy (Nov 08)
  - BigIP - bigconf.cgi holes Guy Cohen (Jun 13)
  - Re: MS Outlook alert : Cuartango Active Setup David LeBlanc (Nov 08)
  - Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Mark (Nov 08)
    - Insecure handling of NetSol maintainer passwords jlewis () LEWIS ORG (Nov 08)
    - flaw in dmesg under Solaris echo8 (Nov 09)
    - Re: Insecure handling of NetSol maintainer passwords Jefferson Ogata (Nov 09)
    - Re: Insecure handling of NetSol maintainer passwords pedward () WEBCOM COM (Nov 10)
    - Re: Insecure handling of NetSol maintainer passwords Trevor Schroeder (Nov 10)
    - networksolutions CRYPT-PW salt (was: Re: Insecure handling of NetSol maintainer passwords) Jefferson Ogata (Nov 10)
    - [Cobalt] Security Advisory - cgiwrap Jeff Bilicki (Nov 09)
    - Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Andy Helsby (Nov 09)
  - Remote DoS Attack in TransSoft's Broker Ftp Server v3.5 Vulnerability Ussr Labs (Nov 08)
  - FreeBSD 3.3's seyon vulnerability Brock Tellier (Nov 08)
    - Re: FreeBSD 3.3's seyon vulnerability Bill Fumerola (Nov 09)

(Thread continues...)