Info

Disclosure

Oct 01, 2002

Discovery

Unknown

Dates

Exploit

Oct 01, 2002

Solution

Unknown

Description

SurfControl web filters contain a flaw that allows a remote attacker to trivially obtain and decrypt passwords. The issue is due to the JavaScript program used to encrypt passwords using a "text string" and "key", which is hard coded into a JavaScript function and trivial to decrypt (The key is "test"). With this information, an attacker can access any reports available on the server.

Classification

Unknown or Incomplete

Solution

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workarounds: Disable the reports server and consider using a terminal session to the server to access the reports.

Products

SurfControl plc	SuperScout Web Filter	3.0
		3.0.3
	Web Filter	4.0
		4.1

References

ISS X-Force ID: 10247
CVE ID: 2002-0706 (see also: NVD)
Vendor URL: http://www.surfcontrol.com/
Other Advisory URL: http://www.westpoint.ltd.uk/advisories/wp-02-0005.txt

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

SurfControl plc

SuperScout Web Filter

Web Filter

References

Credit