Centra Software first became aware of a security vulnerability in several versions of its products with a posting to the Bugtraq distribution lists. Centra is a vendor committed not only to providing secure software solutions, but also to informing its customers immediately of any vulnerabilities it discovers in its products and, as such, is notifying all its customers and Bugtraq subscribers with its response to this vulnerability. If you have additional questions or inquiries, please contact Centra Customer Support directly at support@centra.com. Thanks, - The Centra Customer Support Team **************************************************************************** ************************************* ORIGINAL POSTING Date Published: 12/17/01 Bugtraq ID: - CVE CAN: - Title: Dangerous information being recorded in CentraOne Log files, possible user impersonation Severity: Medium Remote Exploit: No Local Exploit: Yes **************************************************************************** ************************************* RESPONSE FROM THE VENDOR, CENTRA SOFTWARE DESCRIPTION OF VULNERABILITY This security bug applies to CentraOne v5.2 customers using Centra Smart Connect patch CEN5.2-03 (released November 11, 2001) and Centra ASP customers. For both sets of customers, it only applies to users who connect to the Centra Server through a proxy server which has Basic Authentication enabled. When the client launches, a log file is created on the end user's local PC. If the user is connecting through a proxy server with Basic Authentication enabled, the log file contains information about the proxy server including a base64 encoded username / password string. This information could be used to launch an impersonation attack by an individual who has physical access to the log files on the end user's client PC. PREVENTION OF VULNERABILITY Below is a list of steps you can take to avoid this problem. Please contact Centra Customer Support for more details. NOTE: Only applicable to customers using CentraOne 5.2 with Patch CEN5.2-03 and Centra ASP services - Upgrade to CentraOne 5.3 General Availability, which is not susceptible to this problem and is available from Centra today. - Install the patch designed to address this, which will be available for download from the Centra customer support web site on or before Friday, January 4. - Centra will be adding a patch to the Centra eMeeting ASP service to address this bug. **************************************************************************** *************************************
