Bugtraq mailing list archives
Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability
From: jkohl <jkohl () nc rr com>
Date: Fri, 8 Jun 2001 13:03:37 -0700 (PDT)
On Fri, 08 Jun 2001 00:37:34 -0700 Peter Ajamian <peter () pajamian dhs org>
wrote.
Problem: While crypt password authentication is not in and of itself very secure, Network Sulotions have made it even less so by including the first two characters of the password as the salt of the encrypted form. While the password is transmitted via a secure session, the encrypted form is returned almost immediately in a non-encrypted www session. Also, this password is typically emailed back and forth to the user no less than two times (and often times more). This allows several opportunities for someone to observe the encrypted password, this in and of itself is not good.
<snip> Peter, great call, I was actually going to post about this myself, but wasn't sure if this list was the right place for the NS web-based stuff. There are some additional concerns about their Crypt-PW solution, (which I've mentioned to them, and they've not done anything about it)... 1) Even though Crypt-PW is supposedly a replacement for MAIL-TO, you still must have a valid email address to use Crypt-PW...so what IS the point of having Crypt-PW? (Especially as it's not secure) 2) If you do NOT have a valid email address (i.e. dropped account, ect) NS emails the completed forms (with the entire Auth password) to the address anyway. If, especially in the case of some ISPs, they have 'reused' the login after an extended amount of time, they've just emailed someone else your encrypted password for your domain. If not, it's going to go into the admin no-relay logs, leaving it open to abuse by someone with access to the mail host. And, not to leave out Peter's mention of the fact that they are sending the cleartext mail (with the password) where anyone can view it. Workarounds...do NOT use Crypt-PW as an authentication, and insure that you change your domain records *before* losing the account, as Crypt-PW will not allow you to access or change records if you do not still own the email address. Cheers! Jan Kohl
Current thread:
- Network Solutions Crypt-PW Authentication-Scheme vulnerability Peter Ajamian (Jun 08)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability aleph1 (Jun 08)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Tyler Walden (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Barney Wolff (Jun 11)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Tyler Walden (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Chris Adams (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Len Sassaman (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Peter W (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Peter Ajamian (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Peter van Dijk (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Wichert Akkerman (Jun 11)
- <Possible follow-ups>
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability jkohl (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability aleph1 (Jun 08)