Castelle Faxpress: Password used for NT Print queue can be discl osed in Plain Text

Type securityvulns
Reporter Securityvulns
Modified 2002-02-05T00:00:00



I have reported this to Castelle and they told me it is a feature for

troubleshooting, however they will make the change the next time they release the Faxpress Software. I just thought that other admins should be made aware so they can check their systems are secured correctly.

Printing can be configured to use either a printer connected directly to

the parallel port of the fax server or to a Network print queue. When configuring the system to use a Network print queue the following information needs to be entered.

NT Host Name Printer Shareable Name IP Address Login Name Password

If the login name is either entered incorrectly or changed by a user,

when a document is sent to the print queue an error event will be added to the notices, This error divulges the following information.

Notice: Network Print Queuing Error For Job XXXX Notice For: Faxpress Username Queue: Printer name Server: NTPrint Server Login: Login, Password Error At: Time Error.

The Login credentials, including the password are shown in Plain text.

I assume that most Administrators with this Fax System out there that

use a single username for all Faxpress printing due to the hassle of changing login information every time a users Password expires, I hope nobody has just tapped in an Admin accounts details because they were feeling lazy!

Workarounds: Make sure that Users are unable to make changes to their mailbox settings.

To re-create the 'feature' -Log into the Faxpress -Select any printable item eg An Outgoing fax or a failed transmission -Right click on the item and chose print -Click "Printer" -Click on "Queue" -Note the username -Change the username eg from "John" to "John1" -Click OK -Click OK -Click OK -Go to notices -Double click on the printing error

The username "John1" and his password are presented. If anyone has problems re-creating this feel free to drop me a mail.

Best Regards


This opinion expressed is my own and is not of my company.

This E-mail and its attachments have been scanned for viruses before delivery. We recommend that all attachments are also checked by recipients before being viewed. For more information contact