Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Nessus stores credentials in plain text
From: Raymond Morsman <raymond () dyn org>
Date: Sun, 28 Mar 2004 23:27:18 +0200

On Sat, 2004-03-27 at 17:47, ~Kevin Davis³ wrote:
Many people would disagree that storing passwords in plaintext is not a
vulnerability.  This includes entities like ISS who were doing the same
thing and once realized it changed it.  I don't see how a plaintext username
password is simply "system data" and not also credentials.  And guess what?
Nessus itself has several plugins that check for plaintext passwords in
other applications.

Q: Does Nessus use this data for its own persona-check?
A: No, it uses it for client connections.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]