Bug 438379 (CVE-2008-1394) - CVE-2008-1394 Plone stores a password in a cookie
Summary: CVE-2008-1394 Plone stores a password in a cookie
Status: CLOSED NOTABUG
Alias: CVE-2008-1394
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-03-20 17:25 UTC by Lubomir Kundrak
Modified: 2008-03-20 17:27 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2008-03-20 17:27:32 UTC


Attachments (Terms of Use)

Description Lubomir Kundrak 2008-03-20 17:25:49 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1394 to the following vulnerability:

Plone CMS before 3 places a base64 encoded form of the username and password in the __ac cookie for all user accounts, which makes it easier for remote attackers to obtain access by sniffing the network.

References:

http://www.securityfocus.com/archive/1/archive/1/489544/100/0/threaded
http://www.procheckup.com/Hacking_Plone_CMS.pdf
http://plone.org/about/security/overview/security-overview-of-plone/

Comment 1 Lubomir Kundrak 2008-03-20 17:27:32 UTC
Fedora Project does not consider this a security issue.
For secure communication over HTTP, SSL/TLS should be used.


Note You need to log in before you can comment on or make changes to this bug.