[12532] in bugtraq
Re: Insecure handling of NetSol maintainer passwords
daemon@ATHENA.MIT.EDU (Sean Sosik-Hamor)
Thu Nov 11 13:53:19 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSO.4.10.9911110858500.2449-100000@wind.shn.nu>
Date: Thu, 11 Nov 1999 09:06:12 -0500
Reply-To: Sean Sosik-Hamor <ssh@SHN.NU>
From: Sean Sosik-Hamor <ssh@SHN.NU>
X-To: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991111080028.8E9181EED1@lists.securityfocus.com>
Jefferson Ogata <jogata@NODC.NOAA.GOV> wrote:
# I have also noticed a problem with Network Solutions' handling of
# passwords for CRYPT-PW authentication: when you submit the password
# initially, the form they generate with their New Contact Form web
# system runs the password you enter through crypt(), but the first
# two characters of the encrypted value (the salt) are the same as the
# first two characters of the password, indicating they use the
# password as its own salt.
I originally found this and reported it to them in 1996. Since then,
I've sent them numerous emails and called them four or five times.
Each time, I was told that "it would be looked into." So, here it is
three years later. Yay.
http://www.securityfocus.com/templates/archive.pike?list=1&date=1996-10-8&msg=Pine.LNX.3.95.961011120728.3070A-100000@socks.litter717.net
/Sean/
