Bugtraq mailing list archives
Demarc Puresecure v1.6 - Plaintext password issue -
From: "Ryan Purita" <ryan () totally-connected com>
Date: Wed, 21 May 2003 12:17:57 -0700
According to Demarc Puresecure's Website; Demarc PureSecureTM is a one of a kind, Total Intrusion Detection System (TIDS), which provides an unsurpassed level of comprehensive security. For the first time you will be able to reliably prevent, detect, and deter internal and external threats to your organization's valuable assets with complete confidence, 24 hours a day. Advanced cross platform compatible technology means PureSecure can be deployed and scaled in a wide variety of network infrastructures #PROBLEM Demarc Puresecure v1.6 stores plaintext password and login information for the central/remote logging server. (And some spelling mistakes) <--SNIP--> #------------------------------------------------------------------ # Database Variables #------------------------------------------------------------------ # You MUST change these to match a valid account on your database. # The database user must have insert/update and drop priviledges. db_user = "puresecure" db_password = "abc123" db_host = "192.168.1.254" db_name = "IDS" db_port = "3306" <--SNIP--> Granted this is a restricted user and not root, but any access is bad access. The account could be used to flood the logging server with bogus information, update previous information, or drop tables, compromising the integrity of the SQL database. Tested on Demarc Puresecure Professional and Personal editions v1.6. Ryan Purita, CISSP Senior Security Consultant www.totally-connected.com
Current thread:
- Demarc Puresecure v1.6 - Plaintext password issue - Ryan Purita (May 21)
- Re: Demarc Puresecure v1.6 - Plaintext password issue - David Barroso (May 23)
- Re: Demarc Puresecure v1.6 - Plaintext password issue - Kurt Seifried (May 24)
- Re: Demarc Puresecure v1.6 - Plaintext password issue - David Barroso (May 23)