Q. Does Nessus use username and password data and store it in plaintext locally even after the client connections are long gone?
A. Yes. If is not ok for vulnerability scanners like ISS and others to do this, why is it ok for Nessus to do this? ----- Original Message ----- From: "Raymond Morsman" <[EMAIL PROTECTED]> To: "~Kevin Davis�" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Sunday, March 28, 2004 4:27 PM Subject: Re: [Full-Disclosure] Nessus stores credentials in plain text > On Sat, 2004-03-27 at 17:47, ~Kevin Davis� wrote: > > Many people would disagree that storing passwords in plaintext is not a > > vulnerability. This includes entities like ISS who were doing the same > > thing and once realized it changed it. I don't see how a plaintext username > > and > > password is simply "system data" and not also credentials. And guess what? > > Nessus itself has several plugins that check for plaintext passwords in > > other applications. > > Q: Does Nessus use this data for its own persona-check? > A: No, it uses it for client connections. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
