Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nessus stores credentials in plain text

From: ~Kevin Davis³ <kevin.davis () mindless com>
Date: Sat, 27 Mar 2004 07:50:14 -0500
Many people would disagree that storing passwords in plaintext is not a
vulnerability.  This includes entities like ISS who werre doing the same
thing and once realized it changed it.  For many, it is not a matter of
merely being "nice" to encrypt plaintext passwords, but a requirement.  You
are giving the keys to the kingdom away for free here.

----- Original Message ----- 
From: "Raymond Morsman" <raymond () dyn org>
To: "~Kevin Davis³" <computerguy () cfl rr com>
Cc: <full-disclosure () lists netsys com>
Sent: Saturday, March 27, 2004 4:08 AM
Subject: Re: [Full-disclosure] Nessus stores credentials in plain text



On Sat, 2004-03-27 at 06:01, ~Kevin Davis³ wrote:

I have posted this issue to a couple entities like bugtraq and CERT
with no response.  I mentioned this issue to an organization


And so it should be. These are not vulnerabilities in the pure sense of
the word.

What you call credentials are nothing more than system data for Nessus
and therefore not an issue for Nessus.

You can't use MD5 on systemdata.

However, I must agree that it would be nice if this information would be
encrypted with the users password.

Raymond.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: