PalmVNC stores usernames and passwords in plain text
| palmvnc-plaintext-passwords (12083) |  Medium Risk |
Description:
PalmVNC stores passwords in plain text in a database called PalmVNCDB. PalmVNC uses a 'backup bit' to copy the database into a file named PalmVNCDB.PDB, which is located in the user's directory of any computer that is synchronized with the palm. A local attacker with access to the computer could exploit this vulnerability to access usernames and passwords to gain unauthorized access to the Palm PDA.
Platforms Affected:
- Harakan Software, PalmVNC 1.40
- Palm, Palm OS
Remedy:
No remedy available as of July 4, 2009.
Consequences:
Obtain Information
References:
- BugTraq Mailing List, Mon May 26 2003 - 14:17:35 CDT , PalmVNC 1.40 Insecure Records at http://archives.neohapsis.com/archives/bugtraq/2003-05/0279.html.
- BID-7696: PalmVNC Insecure Password Storage Vulnerability
- CVE-2003-0406: PalmVNC 1.40 and earlier stores passwords in plaintext in the PalmVNCDB, which is backed up to PCs that the Palm is synchronized with, which could allow attackers to gain privileges.
Reported:
May 26, 2003
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net