Vigil@nce : Secure Web SmartFilter, information disclosure
mars 2009 par Marc Jacob
SYNTHESIS OF THE VULNERABILITY
Passwords are stored in clear form in some files of Secure
Computing Secure Web SmartFilter.
Gravity : 1/4
Consequences : data reading
Provenance : user shell
Means of attack : 1 attack
Ability of attacker : technician (2/4)
Confidence : unique source (2/5)
Diffusion of the vulnerable configuration : high (3/3)
Creation date : 23/03/2009
IMPACTED PRODUCTS
– Secure Computing Secure Web
DESCRIPTION OF THE VULNERABILITY
The administration console of the Secure Computing Secure Web
SmartFilter product stores its configuration in the C :\Program
Files\Secure Computing\Smartfilter Administration\server\config\
directory.
However, access rights of config.txt and admin_backup.xml files
allows a local attacker to read them. These files can contain a
password to access to the proxy.
A local attacker can therefore obtain a password to connect to the
proxy.
CHARACTERISTICS
Identifiers : VIGILANCE-VUL-8552
http://vigilance.fr/vulnerability/Secure-Web-SmartFilter-information-disclosure-8552