Redi Locally Readable Username/Password Vulnerability
BID:2495
Info
Redi Locally Readable Username/Password Vulnerability
| Bugtraq ID: | 2495 |
| Class: | Design Error |
| CVE: |
CVE-2001-0415 |
| Remote: | No |
| Local: | Yes |
| Published: | Mar 20 2001 12:00AM |
| Updated: | Jul 11 2009 06:06AM |
| Credit: | Reported to bugtraq by Doug Nakatomi <[email protected]> on Tue, 20 Mar 2001. |
| Vulnerable: |
Redi RediPlus 1.0 |
| Not Vulnerable: | |
Discussion
Redi Locally Readable Username/Password Vulnerability
Redi.exe is part of a suite of realtime stock trading tools used by professional traders.
Sensitive user information, including usernames and passwords, are stored on the client's system in cleartext in a log file used for troubleshooting. This file has a known default location, and is readable by a local attacker.
Properly exploited, the information contained in this file gives an attacker the ability to execute trades and carry out other financial activities on behalf of the legitimate Redi user.
Redi.exe is part of a suite of realtime stock trading tools used by professional traders.
Sensitive user information, including usernames and passwords, are stored on the client's system in cleartext in a log file used for troubleshooting. This file has a known default location, and is readable by a local attacker.
Properly exploited, the information contained in this file gives an attacker the ability to execute trades and carry out other financial activities on behalf of the legitimate Redi user.
Exploit / POC
Redi Locally Readable Username/Password Vulnerability
x
x
Solution / Fix
Redi Locally Readable Username/Password Vulnerability
Solution:
* Vendor has supplied a patch, available at:
http://www.redi.com/rpdownload.html
Solution:
* Vendor has supplied a patch, available at:
http://www.redi.com/rpdownload.html
References
Redi Locally Readable Username/Password Vulnerability
References:
References:
- RediPlus Download Page (Redi Products)