Alexis Server Web access sends sensitive information in plain text

alexis-http-plaintext-information (7205) The risk level is classified as HighHigh Risk

Description:

Alexis could allow a remote attacker to obtain valid usernames and passwords. The Web access component opens a Java Applet during authentication and transmits the username and password in plain text back to the server on port 8888. If a remote attacker uses a sniffing tool once this information is being transmitted, the attacker can obtain the username and password and gain unauthorized access to voice mail and other services.


Consequences:

Gain Access

Remedy:

No remedy available as of July 1, 2014.

References:

  • BugTraq Mailing List, Thu Sep 27 2001 - 18:53:04 CDT: Two problems with Alexis/InternetPBX from COM2001.
  • BID-3373: COM2001 Alexis Server Web Access Plaintext Password Vulnerabilty
  • CVE-2001-1253: Alexis 2.0 and 2.1 in COM2001 InternetPBX stores voicemail passwords in plain text in the com2001.ini file, which could allow local users to make long distance calls as other users.
  • CVE-2001-1254: Web Access component for COM2001 Alexis 2.0 and 2.1 in InternetPBX sends username and voice mail passwords in the clear via a Java applet that sends the information to port 8888 of the server, which could allow remote attackers to steal the passwords via sniffing.
  • OSVDB ID: 14230: COM2001 InternetPBX Alexis com2001.ini Voicemail Password Cleartext Disclosure
  • OSVDB ID: 14231: COM2001 InternetPBX Alexis Auth Credential Cleartext Transmission

Platforms Affected:

  • COM2001 Alexis Server 2.0
  • COM2001 Alexis Server 2.1

Reported:

Sep 27, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page