Re: Tektronix PhaserLink Webserver Reveals Admin Password
From: Blake Frantz (blakeat_private)
Date: Wed Nov 17 1999 - 14:43:35 PST
Next message: John Madden: "Re: Microsoft Security Bulletin (MS99-043)"
Here are a couple more problems with the Tektronix webserver services:
(We run the Tektronix 740 Extended)
When the people at Tektronix designed the web services, security was in
mind. For example, some URLs that require password authentication do
generate a key to pass along instead of the plain password.
For example, if you download the Job Accounting Records the URL is as
follows:
http://>/config_job_browse.html?http_password=<alphabet
soup>&job_record=30
This is great, except it appears that the key is only generated one time,
I can paste this URL into any browser on any machine and view the URL with
no restrictions. In walks the History folder, any user that has access
to your machine, unless you clear the history, can access any URL
viewed by the administrator, including pages that require password
authentication.
If the administrator ever downloads the Job Accounting log, he/she is
required to enter in the admin password. After the password is entered
and submitted, the page containing the job accounting links has the
following url:
http://>/config_job_links?http_password=<cleartextpassord>
Basically, any user that gets noses and decides to browse your History
folder can stumble upon this url with the words "http_password=joo"
slapping them in the face.
Point being made, clear you history if you use the web services for
printer administration, and restrict access the ports corresponding to the
services you have running.
----------------------------
Blake Frantz
Systems Administrator
Specialty Care Systems, Inc.
blakeat_private
----------------------------
"Our Government, like diapers, should be changed regularly and often for
the same reason." - Don't know
This archive was generated by hypermail 2b30
: Fri Apr 13 2001 - 15:13:14 PDT