search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Air Messenger LAN Server (AMLServer) stores usernames and passwords in plaintext

Vulnerability Note VU#139139

Original Release Date: 2001-10-26 | Last Revised: 2001-10-26

Overview

Air Messenger LAN Server (AMLServer) stores usernames and passwords in plaintext.

Description

AMLServer for windows is a paging gateway that allows users on a TCP/IP LAN to communicate with mobile devices such as phones and pagers. Access to AMLServer's services is protected by a user authentication system that stores usernames and passwords in a plaintext file.

Impact

If an attacker can view the AMLServer password file (through direct access or another vulnerability), they can login as any AMLServer user.

Solution

Apply a patch when one is available. The CERT/CC is currently unaware of a practical solution to this problem.

None.

Vendor Information

139139
Expand all

Internet Software Solutions

Updated:  October 25, 2001

Status

  Vulnerable

Vendor Statement

[O]ur new version has this fixed but is still in testing and should be out later this month [October, 2001]. The beta can be downloaded from


http://www.internetsoftwaresolutions.org/amlserver.zip.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to SNS Research for discovering this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs: None
Severity Metric: 0.07
Date Public: 2001-06-18
Date First Published: 2001-10-26
Date Last Updated: 2001-10-26 02:05 UTC
Document Revision: 9

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.