Allmanage allmanage.pl Administrator Password Retrieval

2000-05-15T00:00:00
ID OSVDB:4982
Type osvdb
Reporter Bighawk(bighawk@warfare.com)
Modified 2000-05-15T00:00:00

Description

Vulnerability Description

Allmanage contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to the plain text administrator password when requesting the 'allmanage.pl' script with the 'K' option, which may lead to a loss of confidentiality.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It may be possible to correct the flaw by implementing the following workaround:

Remove the read file permission on the allmanage/k file for all users except the owner of the file.

Short Description

Allmanage contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to the plain text administrator password when requesting the 'allmanage.pl' script with the 'K' option, which may lead to a loss of confidentiality.

References:

Related OSVDB ID: 1337 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-05/0167.html ISS X-Force ID: 4466 CVE-2000-0434 Bugtraq ID: 1217