Many people would disagree that storing passwords in plaintext is not a vulnerability. This includes entities like ISS who were doing the same thing and once realized it changed it. I don't see how a plaintext username and password is simply "system data" and not also credentials. And guess what? Nessus itself has several plugins that check for plaintext passwords in other applications. I guess it has a different standard for itself as opposed to other applications. For many, it is not a matter of merely being "nice" to encrypt plaintext passwords, but a requirement. You are giving the keys to the kingdom away almost for free here.
> ----- Original Message ----- > From: "Raymond Morsman" <[EMAIL PROTECTED]> > To: "~Kevin Davis�" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Saturday, March 27, 2004 4:08 AM > Subject: Re: [Full-Disclosure] Nessus stores credentials in plain text > > > > On Sat, 2004-03-27 at 06:01, ~Kevin Davis� wrote: > > > I have posted this issue to a couple entities like bugtraq and CERT > > > with no response. I mentioned this issue to an organization > > > > And so it should be. These are not vulnerabilities in the pure sense of > > the word. > > > > What you call credentials are nothing more than system data for Nessus > > and therefore not an issue for Nessus. > > > > You can't use MD5 on systemdata. > > > > However, I must agree that it would be nice if this information would be > > encrypted with the users password. > > > > Raymond. > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
