[SNS Advisory No.43] PGP Keyserver Permissions Misconfiguration

From: snsadvat_private
Date: Fri Sep 28 2001 - 02:26:33 PDT

Next message: brulez@cartel-info.fr: "CARTSA-2001-03 Meteor FTPD 1.0 Directory Traversal"

Previous message: secureat_private: "[CLA-2001:427] Conectiva Linux Security Announcement - mod_auth_pgsql"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----------------------------------------------------------------------
SNS Advisory No.43
PGP Keyserver Permissions Misconfiguration

Problem first discovered: Fri, 3 Aug 2001
Published: Fri, 28 Sep 2001
----------------------------------------------------------------------

Overview:
---------
 PGP Keyserver, distributed by Network Associates, contains a vulnerability
 that allows attackers to access administrative web interface without 
 authentication.

Problem Description:
--------------------
 PGP Keyserver, distributed by Network Associates, is configured using
 administrative web interface. It is necessary to authenticate username
 and password in order to access the administrative web interface.

 However, PGP Keyserver has a vulnerability that allows unauthorized users
 to change settings. Normally, changes of configuration via authentication
 occur in the following URL:

　　　　http://server.name/keyserver/cgi-bin/console.exe?page_size=...
　　　　http://server.name/keyserver/cgi-bin/cs.exe?action=...

 PGP Keyserver allows attackers to perform administrative tasks without
 authentication by using the following URL:

　　　　http://server.name/cgi-bin/console.exe?page_size=...
　　　　http://server.name/cgi-bin/cs.exe?action=...


Tested Version: 
---------------
 PGP Keyserver 7.0 for Windows NT

Tested on:
----------
 Windows 2000 Server + SP2 [English]

Solution:
---------
 A solution for this security issue in PGP Keyserver 7.0 is available at:
 http://www.pgp.com/support/product-advisories/keyserver.asp

Discovered by:
--------------
 Nobuo Miwa (LAC / snsadvat_private)


Disclaimer:
-----------
 All information in these advisories are subject to change without any 
 advanced notices neither mutual consensus, and each of them is released
 as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
 caused by applying those information. 

References
----------
 Archive of this advisory(in preparation now):
 http://www.lac.co.jp/security/english/snsadv_e/43_e.html

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadvat_private>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/

Next message: brulez@cartel-info.fr: "CARTSA-2001-03 Meteor FTPD 1.0 Directory Traversal"
Previous message: secureat_private: "[CLA-2001:427] Conectiva Linux Security Announcement - mod_auth_pgsql"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 28 2001 - 08:46:33 PDT