Citrix MetaFrame Password Manager Information Disclosure Vulnerability
TITLE: Citrix MetaFrame Password Manager Information Disclosure Vulnerability
CLASS: Design Error
CVE:
REMOTE: No
LOCAL: Yes
PUBLISHED: May 18 2007 12:00AM
UPDATE: May 18 2007 12:00AM
CREDIT: The vendor disclosed this issue.
VULNERABLE:
Citrix MetaFrame Password Manager 2.5NOT VULNERABLE:
Citrix MetaFrame Password Manager 2.0
Vai alla pagina originale su Security Focus
Discussion
Citrix MetaFrame Password Manager is prone to an information-disclosure vulnerability.
Users can exploit this issue to view their own secondary passwords, regardless of administrative policies that may not allow it.
Successful exploits will allow an attacker to access currently logged-in account passwords that are managed by the affected software. This will allow attackers to later access applications and services in a manner that is not authorized by administration.
Citrix MetaFrame Password Manager 2.5 and prior versions are vulnerable.
Exploit
An attacker can exploit this issue by using a password-extracting tool.
Solution
Solution:
The vendor has released a hotfix to address this issue. Please see the references for more information.
Citrix MetaFrame Password Manager 2.5
- Cuyahoga MPM250W009.msi
http://support.citrix.com/servlet/KbServlet/download/8694-102-14374/MPM250W009.msi
References
References:
- Citrix Homepage (Citrix)
- Hotfix MPM250W006 - For Metaframe Password Manager 2.5 (Citrix)
- MetaFrame Password Manager "reveal password" policy bypass (Citrix)