[12494] in bugtraq
Insecure handling of NetSol maintainer passwords
daemon@ATHENA.MIT.EDU (jlewis@LEWIS.ORG)
Tue Nov 9 12:32:11 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9910252333570.3632-100000@redhat1.mmaero.com>
Date: Mon, 8 Nov 1999 20:12:49 -0500
Reply-To: jlewis@LEWIS.ORG
From: jlewis@LEWIS.ORG
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Some months ago I began using the crypt-pw Auth Scheme with my
Internic/Network Solutions NIC handle because forging mail to
ineternic.net is just too easy and I don't want my domains messed with.
On Sep 21, 1999 I notified security@networksolutions.com that when doing
domain updates with Auth Scheme Crypt-PW, if the clear text password
contains spaces, their processing scripts strip out the password up to the
first space, and then send off notification emails containing the
remainder of the password to the other contacts involved with the domain
being updated.
I was told my report had been passed on to the developers for a fix.
About a month went by and the problem had not been fixed, so I asked about
it again. On Oct 26, I was told it was still in the hands of the
developers, and it was recommended that I not use a password containing
spaces.
Today, I sent in some updates, and the probem still has not been fixed.
----------------------------------------------------------------------
Jon Lewis *jlewis@lewis.org*| Spammers will be winnuked or
System Administrator | nestea'd...whatever it takes
Atlantic Net | to get the job done.
_________http://www.lewis.org/~jlewis/pgp for PGP public key__________
