NessusWX Username and Password Disclosure

2004-03-26T00:00:00
ID OSVDB:4814
Type osvdb
Reporter Kevin Davis(computerguy@cfl.rr.com)
Modified 2004-03-26T00:00:00

Description

Vulnerability Description

NessusWX contains a flaw that may lead to an unauthorized password exposure. It is possible for a malicious user to gain access to plaintext usernames and passwords by locating plugin configuration settings in directories ending with ".session" under the NessusDB directory tree, leading to a loss of confidentiality.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

NessusWX contains a flaw that may lead to an unauthorized password exposure. It is possible for a malicious user to gain access to plaintext usernames and passwords by locating plugin configuration settings in directories ending with ".session" under the NessusDB directory tree, leading to a loss of confidentiality.

Manual Testing Notes

Look for the presence of session files such as: C:\NessusDB\MySession.session

References:

Vendor URL: http://nessuswx.nessus.org Security Tracker: 1009577 Other Advisory URL: http://www.securitytracker.com/alerts/2004/Mar/1009577.html Other Advisory URL: http://seclists.org/fulldisclosure/2004/Mar/1343.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-03/1363.html Mail List Post: http://archives.neohapsis.com/archives/sf/ms/2004-q2/0001.html ISS X-Force ID: 15641 CVE-2004-2723 Bugtraq ID: 9993