Avaya IP Softphone plaintext password
| ipsoftphone-plaintext-password (19438) |  Medium Risk |
Description:
IP Softphone could allow a local or possibly remote attacker to obtain sensitive information. The username and password are stored in the Windows Registry in plain text. A local or possibly a remote attacker could exploit this vulnerability to view usernames and passwords in plain text.
Consequences:
Obtain Information
Remedy:
No remedy available as of July 9, 2011.
References:
- Avaya Security Advisory March 2, 2005: Sensitive Information Leakage.
- Avaya Web site: IP Softphone - Prod Overview.
- Avaya Web site: Avaya - Support - IP Office Phone Manager Software 1.4.8.
- BugTraq Mailing List, Tue Feb 22 2005 - 13:06:08 CST : Re: Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulnerability.
- BugTraq Mailing List, Tue Feb 22 2005 - 17:29:52 CST : Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulnerability.
- CVE-2005-0506: The Avaya IP Office Phone Manager, and other products such as the IP Softphone, stores sensitive data in cleartext in a registry key, which allows local and possibly remote users to steal usernames and passwords and impersonate other users via keys such as Avaya\IP400\Generic.
Platforms Affected:
- Avaya IP Office Phone Manager
- Avaya IP Soft Phone
Reported:
Feb 22, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net