Full Disclosure mailing list archives
Re: Nessus stores credentials in plain text
From: ~Kevin Davis³ <kevin.davis () mindless com>
Date: Sun, 28 Mar 2004 16:17:29 -0500
Q. Does Nessus use username and password data and store it in plaintext locally even after the client connections are long gone? A. Yes. If is not ok for vulnerability scanners like ISS and others to do this, why is it ok for Nessus to do this? ----- Original Message ----- From: "Raymond Morsman" <raymond () dyn org> To: "~Kevin Davis³" <computerguy () cfl rr com> Cc: <full-disclosure () lists netsys com> Sent: Sunday, March 28, 2004 4:27 PM Subject: Re: [Full-disclosure] Nessus stores credentials in plain text
On Sat, 2004-03-27 at 17:47, ~Kevin Davis³ wrote:Many people would disagree that storing passwords in plaintext is not a vulnerability. This includes entities like ISS who were doing the same thing and once realized it changed it. I don't see how a plaintext
username
and password is simply "system data" and not also credentials. And guess
what?
Nessus itself has several plugins that check for plaintext passwords in other applications.Q: Does Nessus use this data for its own persona-check? A: No, it uses it for client connections. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Nessus stores credentials in plain text ~Kevin Davis³ (Mar 26)
- Re: Nessus stores credentials in plain text Raymond Morsman (Mar 27)
- Re: Nessus stores credentials in plain text ~Kevin Davis³ (Mar 27)
- <Possible follow-ups>
- Re: Nessus stores credentials in plain text ~Kevin Davis³ (Mar 27)
- Re: Nessus stores credentials in plain text Raymond Morsman (Mar 28)
- Re: Nessus stores credentials in plain text ~Kevin Davis³ (Mar 28)
- Re: Nessus stores credentials in plain text Raymond Morsman (Mar 28)
- Re: Nessus stores credentials in plain text Raymond Morsman (Mar 27)