Re: Insecure handling of NetSol maintainer passwords

From: Sean Sosik-Hamor (sshat_private)
Date: Thu Nov 11 1999 - 06:06:12 PST

Next message: Olaf Kirch: "Re: [linux-security] Re: undocumented bugs - nfsd"

Previous message: BindView Advisory: "SmartServer3 POP3"
Maybe in reply to: jlewisat_private: "Insecure handling of NetSol maintainer passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jefferson Ogata <jogataat_private> wrote:

# I have also noticed a problem with Network Solutions' handling of
# passwords for CRYPT-PW authentication: when you submit the password
# initially, the form they generate with their New Contact Form web
# system runs the password you enter through crypt(), but the first
# two characters of the encrypted value (the salt) are the same as the
# first two characters of the password, indicating they use the
# password as its own salt.

I originally found this and reported it to them in 1996.  Since then,
I've sent them numerous emails and called them four or five times.
Each time, I was told that "it would be looked into."  So, here it is
three years later.  Yay.

Pine.LNX.3.95.961011120728.3070A-100000at_private">http://www.securityfocus.com/templates/archive.pike?list=1&date=1996-10-8&msg=Pine.LNX.3.95.961011120728.3070A-100000at_private

/Sean/

Next message: Olaf Kirch: "Re: [linux-security] Re: undocumented bugs - nfsd"
Previous message: BindView Advisory: "SmartServer3 POP3"
Maybe in reply to: jlewisat_private: "Insecure handling of NetSol maintainer passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:11:21 PDT