[Previous] [Next] - [Index] [Thread Index] - [Previous in Thread] [Next in Thread]

Subject: UKNM: Webtrends users beware...
From: Bill Thompson
Date: Fri, 21 Aug 1998 11:19:33 +0100

Hash: SHA1

This message was posted to the BUGTRAQ mailing list. It may be
of interest to any WebTrends users. I am currently chasing
further information. I also have a copy of a C program that will
demonstrate the problem, which I will send directly to those
who want a copy (but I won't post it via the list)


- --------- COPIED MESSAGE STARTS -------

The WebTrends Log Analyzer (http://www.webtrends.com/) is a reporting
tool to allow web admins to generate website usage reports from web
server logfiles. The tool is able to retrieve logfiles remotely via
HTTP or FTP to do the reporting.

The problem is that any FTP and HTTP username and password information
used to access the web server's log files is insecurely stored in
configuration files. Specifically, the information is XOR'ed with a
hardcoded 16-byte key. If the username and/or password exceed 16
characters, the key wraps around and is reused.

What makes the issue worse is, in using FTP or HTTP where a username
and password are required, there is no option in the program to *NOT*
save the username and password information. If you leave the password
field empty, the connection to the web server fails.

Granted, this vulnerability is only an issue if an unauthorized user
can access the configuration files for the Log Analyzer. But, if the
software is put on a fileserver, anyone with fileserver access is (by
default) able to read the configuration files, making the web server's
host vulnerable.

I contacted WebTrends over a month ago about the vulnerability; the
people I talked with dismissed the issue and for the last three weeks
have ignored my attempts to contact them.

If you use the WebTrends Log Analyzer, the only recommended workaround
is to not use its remote connection capabilities where a username
and password are required.

- - -Chris


| Christopher Wilson chris [dot] wilsonatharris [dot] com
- ------- END OF COPIED MESSAGE ------

Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>



Bill Thompson +44 (0) 1223 245963
mobile: 0411 557361 http://dspace.dial.pipex.com/bill/
"You'll have to pry my private key out of my cold dead hands."
"Your proposal is acceptable..."
<<PGP Fingerprint>>
7C57 5EE5 0D5C C365 7E33 22E6 5353 FC39 0D7A DD1B

  Re: UKNM: Re: Portals?, Lee Rickler

[Previous] [Next] - [Index] [Thread Index] - [Next in Thread] [Previous in Thread]