Meridian Systems Prolog Manager does not use strong encryption and returns a list of all user credentials when authenticating clients. These behaviors could allow an attacker to obtain user credentials and decrypt passwords.
Meridian Systems Prolog Manager is a set of construction project management tools that are designed to interface with a Microsoft SQL Server.
Prolog Manager administrators can choose to use one of the following methods to encrypt the passwords:
no encrytionis selected, and Prolog Manager does not use sufficiently strong encryption when
enhanced encryptionare selected. In addition, when a client logs into Prolog Manager, the authentication credentials of all users in the system are returned to the client. An attacker could obtain credentials by sniffing network traffic or by sending an invalid login request to the Prolog Manager server and capturing the response. The attacker may then be able to decrypt passwords offline.
An attacker who can intercept network traffic or send an invalid loin request can obtain authentication credentials and decrypt passwords.
We are currently unaware of a practical solution to this problem.
Use database and network encryption
enhanced encryptionoption may increase the effort required for an attacker to decrpt passwords. See the Meridian November 2004 Product Tip for more information about enabling encryption.
Vendor| Status| Date Notified| Date Updated
Meridian Systems| | 27 Sep 2007| 19 Dec 2007
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
Information about this vulnerability was posted on the bugtraq mailing list.
This document was written by Ryan Giobbi.