NeWT config.xml Username and Password Disclosure

2004-03-26T00:00:00
ID OSVDB:4815
Type osvdb
Reporter OSVDB
Modified 2004-03-26T00:00:00

Description

Vulnerability Description

NeWT contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to plain_text passwords because NeWT stores sensitive information insecurely in the config.xml file on the system, password disclosure may lead to a loss of confidentiality, integrity and/or availability.

Technical Description

The config.xml file stores user & password information in unencrypted plaintext. This affects the following types of accounts: FTP, IMAP, POP2, POP3, NNTP, SNMP, SMB (Windows NT Domain)

Typically this config file is stored locally at the following location: \Documents and Settings\<Username>\Tenable\NeWT\config\config.xml

Solution Description

Upgrade to version 1.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

NeWT contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to plain_text passwords because NeWT stores sensitive information insecurely in the config.xml file on the system, password disclosure may lead to a loss of confidentiality, integrity and/or availability.

References:

Other Advisory URL: http://www.securitytracker.com/alerts/2004/Mar/1009576.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-03/1361.html ISS X-Force ID: 15639