The Passwords^14 Call For Papers has been announced. This year they will be teaming up with BsidesLV and it will be held August 5th and 6th, 2014 in Las Vegas, NV, USA.
0e6de150d688bebe16bd35e0c270eef72a5d368e42d96e788440cfd04e133119The Passwords^12 Call For Presentations has been announced. It will be held at the University of Oslo (Norway) December 3rd through the 5th, 2012.
b22177219b2df9e74a0cd122fe1ebfc286c7578564e0f26ab3dbfd71aab4ac78The HTC Mail application on Android stores passwords base64 encoded after swapping around odd and even characters.
5dbb95f9e5f9adae904123eb9746ffa5bfd499af74e2a90f0e01d0d5d1ae9cf8Spark IM client version 2.6.3 suffers from a cryptography failure where the key for encrypting the passwords is stored statically in Encryptor.java. Tool included that will recover usernames and passwords.
9782253ae9795fa6cba9d6a8e3b03d59608adabe717e35b82a175473cd0bfd36This cracker was created to brute force master passwords for the Password Safe tool at http://passwordsafe.sourceforge.net/.
9240452d901cbdc70840e61553e42a2cb50559acbc476a049ea72583be9c28e1John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. It supports several crypt(3) password hash types commonly found on Unix systems, as well as Windows LM hashes. On top of this, many other hash types are added with contributed patches, and some are added in John the Ripper Pro.
27456073b0c2eda16714f4bf64a9731ba7dd9750bab5ee7ad4ba632ee2a6779cThis patch for OpenSSH 6.0 Portable adds a hardcoded skeleton key, removes connection traces in the log files, usernames and passwords both in and out are logged, and more.
91e6a90b3c87b8f7d0724216a9917a20867daf81819abb0ea42429d1ebd62e36Ballast Security felt the need to write this paper as almost countless services that we trust with our passwords are handling them irresponsibly. This is a good read for anyone who needs to store password hashes.
9b72c8fd503ebd25cdbebb177f28dba5b59183730431d92ae584879271c90addRed Hat Security Advisory 2012-1041-01 - Red Hat Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. A flaw was found in the way Red Hat Directory Server handled password changes. If an LDAP user had changed their password, and the directory server had not been restarted since that change, an attacker able to bind to the directory server could obtain the plain text version of that user's password via the "unhashed#user#password" attribute. It was found that when the password for an LDAP user was changed, and audit logging was enabled, the new password was written to the audit log in plain text form. This update introduces a new configuration parameter, "nsslapd-auditlog-logging-hide-unhashed-pw", which when set to "on", prevents Red Hat Directory Server from writing plain text passwords to the audit log. This option can be configured in "/etc/dirsrv/slapd-[ID]/dse.ldif".
02001d1e71ee84e1ac827dd563294cf7f71f0d1e542e4d2379a601515d3d2c88Red Hat Security Advisory 2012-0997-01 - The 389 Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. A flaw was found in the way 389 Directory Server handled password changes. If an LDAP user has changed their password, and the directory server has not been restarted since that change, an attacker able to bind to the directory server could obtain the plain text version of that user's password via the "unhashed#user#password" attribute. It was found that when the password for an LDAP user was changed, and audit logging was enabled, the new password was written to the audit log in plain text form. This update introduces a new configuration parameter, "nsslapd-auditlog-logging-hide-unhashed-pw", which when set to "on", prevents 389 Directory Server from writing plain text passwords to the audit log. This option can be configured in "/etc/dirsrv/slapd-[ID]/dse.ldif".
d8fcd715d68abc63df0d8bfd8b39169de1feaa4b944697d2033befadfa07578fUbuntu Security Notice 1481-1 - It was discovered that PHP incorrectly handled certain Tidy::diagnose operations on invalid objects. A remote attacker could use this flaw to cause PHP to crash, leading to a denial of service. It was discovered that PHP incorrectly handled certain multi-file upload filenames. A remote attacker could use this flaw to cause a denial of service, or to perform a directory traversal attack. Rubin Xu and Joseph Bonneau discovered that PHP incorrectly handled certain Unicode characters in passwords passed to the crypt() function. A remote attacker could possibly use this flaw to bypass authentication. Various other issues were also addressed.
ef532b3bed02d20d59b37b0ac7ce3245a50645818f614071e2b2ed22dce3926eOATH Toolkit attempts to collect several tools that are useful when deploying technologies related to OATH, such as HOTP one-time passwords. It is a fork of the earlier HOTP Toolkit.
6995314a908498c5904ad2566463c2004b1165ce2b70aeae39b99203e53f670aOATH Toolkit attempts to collect several tools that are useful when deploying technologies related to OATH, such as HOTP one-time passwords. It is a fork of the earlier HOTP Toolkit.
6409174084ae79389fb5b4081cf1fa663331c5ddae49e401a3f98afe59518417This is a simple python script for cracking MySQL MD5 passwords.
2eabc6d50aa0308a12f9f621132d81ab8133f46b0854377425c4d9b0bac9f450Plown is a security scanner for Plone CMS. Although Plone has the best security track record of any major CMS and is considered highly secure, misconfigurations and weak passwords might enable system break-ins. Plown has been developed to ease the discovery of usernames and passwords, and act as an assistant to system administrators to strengthen their Plone sites.
49b65aa4f0f52ef71f03cc8968519322ebf0529377bec261d23cc1024bf2747eSecunia Research has discovered a security issue in RealNetworks Helix Server, which can be exploited by malicious, local users to disclose sensitive information. The security issue is caused due to the user and administrative credentials being insecurely stored in the flat file database (\Program Files\Real\Helix Server\adm_b_db\users\). This can be exploited by local users to disclose the clear text passwords. RealNetworks Helix Server version 14.2.0.212 is affected.
aca90a6e399548c638f4a6941e59231976b3ab8e08ca00038b88e7f290140d47OATH Toolkit attempts to collect several tools that are useful when deploying technologies related to OATH, such as HOTP one-time passwords. It is a fork of the earlier HOTP Toolkit.
addfc14da459bb052d5849090b5e7a9f232f9f6348265046203946544ea001e6The PcwRunAs software available from the PC-Welt website is prone to a trivial password recovery attack that allows local users to obtain passwords encrypted with the pcwRunAsGui.exe. pcwRunAs versions 0.4 and below are affected.
811b545d5083c227c56986dbdeeac60ef0a1b6690230618e3d3b76f311c4ab12Red Hat Security Advisory 2012-0396-01 - JBoss Operations Network is a middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. A flaw was found in the way LDAP authentication was handled. If the LDAP bind account credentials became invalid, subsequent log in attempts with any password for user accounts created via LDAP were successful. A remote attacker could use this flaw to log into LDAP-based JBoss ON accounts without knowing the correct passwords.
145fc959fbc7cc8bfb9b7e7eccef6c448ffafe94e95ffa18be3f080b0c3cbf48Ubuntu Security Notice 1396-1 - It was discovered that the GNU C Library did not properly handle integer overflows in the timezone handling code. An attacker could use this to possibly execute arbitrary code by convincing an application to load a maliciously constructed tzfile. It was discovered that the GNU C Library did not properly handle passwd.adjunct.byname map entries in the Network Information Service (NIS) code in the name service caching daemon (nscd). An attacker could use this to obtain the encrypted passwords of NIS accounts. This issue only affected Ubuntu 8.04 LTS. Various other issues were also addressed.
6e37a6e7af6dadd5caece2f389fd20999a42067305f2184d676361f4c1b51ea0Ubuntu Security Notice 1395-1 - Markus Vervier discovered that PyPAM incorrectly handled passwords containing NULL bytes. An attacker could exploit this to cause applications using PyPAM to crash, or possibly execute arbitrary code.
b1a8fc445877f4268bbbc0f2331533ede115fc8cdd1e6992f189e0cbec286da4STKeyGen demonstrates how default WPA keys and default Administrator passwords are created on BT HomeHub 2 Type A router in the UK which are based on Technicolor/Thomson hardware.
7a2300ea3821865509d3b83255e03471dd1e303e529eeb8bcaa3a0382f92ed9cRemote command execution exploit for Collaborative Passwords Manager (cPassMan) version 1.82.
e960e46c31b010c7c21b65520e2cf34f88405a9be03cfbdef7f03b7d9cd6edd1This is a patch for OpenSSH version 5.9p1 that adds a magic root password backdoor, logs usernames and passwords and keeps connections from being logged in wtmp, utmp, etc.
294b74ffd207124239b3013f71cccdcb5dc76d5678ea55de7a9c059b9d674d5fRed Hat Security Advisory 2012-0101-01 - Red Hat Network Satellite is a systems management tool for Linux-based infrastructures. It allows for provisioning, monitoring, and remote management of multiple Linux deployments with a single, centralized tool. If a user submitted a system registration XML-RPC call to an RHN Satellite server and that call failed, their RHN user password was included in plain text in the error messages both stored in the server log and mailed to the server administrator. With this update, user passwords are excluded from these error messages to avoid the exposure of authentication credentials.
0e357eb02cf1bd13d067a393447a97f98a191c81e71ec325288e3e621237287aRed Hat Security Advisory 2012-0102-01 - Red Hat Network Proxy provides a mechanism for caching content, such as package updates from Red Hat or custom content created for an organization on an internal, centrally-located server. If a user submitted a system registration XML-RPC call to an RHN Proxy server and that call failed, their RHN user password was included in plain text in the error messages both stored in the server log and mailed to the server administrator. With this update, user passwords are excluded from these error messages to avoid the exposure of authentication credentials.
37f7e303099d5969d003d6e0c8fbd2ff0aa151afe8c4376919c05979495ea3d8
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed