The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of InterScan Web Security Suite: obtaining password

Synthesis of the vulnerability 

When an authentication is configured for Trend Micro InterScan Web Security Suite, an attacker can obtain the login and the password of the user.
Impacted products: InterScan Web Security Suite.
Severity of this bulletin: 2/4.
Creation date: 10/02/2009.
Références of this threat: BID-33687, CVE-2009-0612, VIGILANCE-VUL-8457.

Description of the vulnerability 

The Trend Micro IWSS (InterScan Web Security Suite) product filters web access of users.

A basic authentication can be configured to access to this service. In this case, the web browser of user sends an HTTP query containing the login and the password encoded as base64:
  Proxy-Authorization: Basic encoded-login-password
Then, IWSS suppresses this header and sends the HTTP query to the remote server. The server thus receives a query which do not contain the proxy login and password.

However, Windows Media Player uses the following header:
  Proxy-Authorization: basic encoded-login-password
It can be noted that the "basic" word does not start by an uppercase character. In this case, IWSS does not suppress this header before sending the HTTP query to the remote server.

An attacker can therefore create a web page containing a multimedia document, and invite the victim to display it. The attacker's web server will then receive the login and password of the IWSS proxy of the victim.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This threat note impacts software or systems such as InterScan Web Security Suite.

Our Vigil@nce team determined that the severity of this cybersecurity note is medium.

The trust level is of type confirmed by a trusted third party, with an origin of internet server.

An attacker with a expert ability can exploit this vulnerability note.

Solutions for this threat 

Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides an application vulnerability announce. The technology watch team tracks security threats targeting the computer system.