Multiple Exchange Modules exchverify.log Login Credential Disclosure

1998-11-12T00:00:00
ID OSVDB:10084
Type osvdb
Reporter Jamie Byrnes(jamie.byrnes@kbjv.com)
Modified 1998-11-12T00:00:00

Description

Vulnerability Description

Innoculan AV for Exchange and ArcServe Backup for Exchange contain a flaw that may lead to an unauthorized password exposure. It is possible to gain access to plaintext passwords or the number of characters in the password by accessing the exchverify.log file which is created by the installation of these modules, which may lead to a loss of integrity.

Technical Description

Depending on the module and version, the exchverify.log file contains either the number of characters in the password, or the plaintext password itself.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Delete the exchverify.log file.

Short Description

Innoculan AV for Exchange and ArcServe Backup for Exchange contain a flaw that may lead to an unauthorized password exposure. It is possible to gain access to plaintext passwords or the number of characters in the password by accessing the exchverify.log file which is created by the installation of these modules, which may lead to a loss of integrity.

References:

Mail List Post: http://marc.theaimsgroup.com/?l=ntbugtraq&m=91133714919229&w=2 Mail List Post: http://marc.theaimsgroup.com/?l=ntbugtraq&m=91096758513985&w=2 ISS X-Force ID: 8370 CVE-1999-1322