Quakenbush Password Appraiser publishes Windows NT user passwords to the Internet
| quakenbush-pw-appraiser (1652) |  High Risk |
Description:
Quakenbush Password Appraiser provides weaker than expected security. Passwords are transmitted in plaintext. Quakenbush Password Appraiser, when using the Internet Query option, could allow an attacker utilizing a packet analyzer to intercept passwords.
Platforms Affected:
- Quakenbush, Password Appraiser
Remedy:
Users should not use the Internet Query option, but instead order the CD-ROM from Quakenbush, which negates the need for this option. Alternatively, for people who wish to use the Internet Query option, you should upgrade your version of the Password Appraiser, which uses SSL to communicate passwords securely.
Consequences:
Obtain Information
References:
- @stake, Inc./L0pht Security Advisory 01/21/99, L0pht Security Advisory on NT Password Appraiser at http://www.webproxy.com/research/advisories/1999/pwapprais.txt.
- Gerald Quakenbush Web site, Response to L0pht Security Advisory at http://www.quakenbush.com/L0pht.htm.
- CVE-1999-0397: The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext.
Reported:
Jan 21, 1999
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net