Bugtraq mailing list archives
Re: Password issue in Axent ESM 5.0.1 Console
From: blake () BOS BINDVIEW COM (Scott Blake)
Date: Fri, 14 Jan 2000 10:52:01 -0500
I don't understand what the security issue is here. Sounds like ESM is doing a good thing by passwording the console, but has a bug in the password change code. If they're using the MS Access native security, recovering the password is trivial, so in essence there is no security there at all. One could make a case that there should be, but the bug in password changing is hardly relevant to that. Finally, tech support's recommendation that the password be removed from the DB is perfectly reasonable when you consider that it is utterly useless anyway. ----- Scott Blake blake () bos bindview com Security Program Manager BindView Corporation
-----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Todd Sent: Wednesday, January 12, 2000 7:04 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: Password issue in Axent ESM 5.0.1 Console Axent's latest release of its ESM product was redesigned and supposedly revamped around it's new "Management Console". The new management console is based on an underlying Access Database. The console is password protected each time the application is launched. However, when the user wants to change the console password, the next time the application is launched the database is inaccessible because the code does not update the password on the database file. It is reported that contact of Axent resulted in being told to launch the MS Access DB file and disable password checking.
Current thread:
- Administrivia, (continued)
- Administrivia Elias Levy (Jan 18)
- Info on some security holes reported against SCO Unixware. Aaron Sigel (Jan 13)
- ssh-proxy, a new approach to firewall software Magosanyi Arpad (Jan 13)
- Re: Hotmail security hole - injecting JavaScript using <IMG Ajax (Jan 11)
- Serious Bug in Corel Linux.(Local root exploit) tascon () ENETE GUI UVA ES (Jan 12)
- secure-programs howto Signal 11 (Jan 09)
- strace can lie ... but LTT might be handy Karim Yaghmour (Jan 09)
- 2nd attempt: AIX techlibss follows links Klaus.Kusche () OOE GV AT (Jan 10)
- NIS2k Bacano (Jan 11)
- Password issue in Axent ESM 5.0.1 Console Todd (Jan 12)
- Re: Password issue in Axent ESM 5.0.1 Console Scott Blake (Jan 14)
- Local / Remote D.o.S Attack in Super Mail Transfer Package (SMTP) Server for WinNT Version 1.9x Ussr Labs (Jan 13)
- Re: NIS2k Brad Griffin (Jan 13)
- Misleading sense of security in Netscape Craig Ruefenacht (Jan 13)
- Re: Misleading sense of security in Netscape Jefferson Ogata (Jan 18)
- New MySQL Available Scott (Jan 13)
- BindView Security Advisory: Local Promotion Vulnerability in Windows NT 4 BindView Security Advisory (Jan 13)
- Microsoft Security Bulletin (MS00-003) Microsoft Product Security (Jan 13)
- ICQ Buffer Overflow Exploit drew copley (Jan 11)
- Re: ICQ Buffer Overflow Exploit Dennis W. Mattison (Little Wolf) (Jan 12)
- Re: ICQ Buffer Overflow Exploit Michael DeSimone (Jan 13)