Dear Bugtraq, Here is Trend Micro's reply to this claim This kind of sniffing and "hijacking" of login could be done to almost all ordinary installed http products with login procedure. Since we offer a way to install it with HTTPS(SSL) and making login and communicating with the server secure, we have a internal discussion about if we should call this a "Vulnerability" or not. We have made the R&D promise that next version will be with the question in the installation program for installing SSL support. On the other hand this product should be installed by IT professionals. And it should be obvious to them that IIS in http mode is not security enough. We thank you for pointing out this to us and we are grateful that our products are "checked" for security issues! We can sometime like in this case just assume that all think of security issues but the truth is that IT personal have more than security to think about. So things like this are constantly missed! Here is a link on how to enable HTTPS support for Trend Micro Control Manager http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp ?solutionId=21306 Thanks, Hammud Saway Trend Micro Global Director of Premium Services >From: "CIRT Advisory" <advisory@xxxxxxx> >To: <bugtraq@xxxxxxxxxxxxxxxxx> >Subject: Trend Micro Control Manager - Enterprise Edition 3.0 Web >application Replay attack >Date: Thu, 13 Jan 2005 19:45:53 +0100 >X-Mailer: Microsoft Outlook, Build 10.0.6626 > >The web application are vulnerable to a replay attack, meaning that the >username and password are encrypted but there are not used any form of >timestamp to make this mechanism more advanced and secure. > >If it is possible to sniff the traffic when a user login to the >administrative interface, it is possible to replay this sequence and >get a valid login session, with the rights of the user. > >Vendors response to this was, it is a feature not a vulnerability and >all the others also have this problem. > >Read the full advisory at >http://www.cirt.dk/advisories/cirt-28-advisory.pdf > >---------------------------------------------------------------------- >Danish Incident Response Team >http://www.cirt.dk >---------------------------------------------------------------------- -- AV-Test GmbH, Klewitzstr. 7, 39112 Magdeburg, Germany Phone: +49 (0)391 6075466, <http://www.av-test.org> TREND MICRO EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
