KGB Vulnerability Advisory 20080301-2 Title: University of Illinois at Springfield Lack of Encryption of User Credentials Date: 01 March 2008 Author: Particle Bored Vulnerability Class: Account Compromise Affected Systems: http://webmail.uis.edu/ Overview: Valid user name/password combinations are transmitted over public networks unencrypted. Technical Details: User credentials are not encrypted -- they are simply BASE64 encoded. Impact: System Administrators and others with access to communications destined for the site can intercept all of the information necessary to log in to the system as an authorized individual. Theft of valid user credentials could easily be done in a manner that is not detectable. Subsequent unauthorized use of the valid credentials would be extremely difficult to discern from activity of the authorized user. Recommendations: Utilize SSL, TLS or other globally recognized methods to encrypt transmission of authentication information. Discovered: February 2008 Vendor Notified: 01 March 2008 (shuts1@uis.edu) General Release: 20 April 2008 After no response from vendor. Public Disclosure: In order to best serve the interests of all parties affected this advisory will be made publicly available 30 days after the initial vendor notification. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. About KGB: KGB is an independent vulnerability research organization based in the United States. It provides the results of its research free of charge since that is all most development companies are willing to pay for security and quality assurance. Copyright 2008 KGB.TO. All rights reserved. Permission is hereby granted for the redistribution of this advisory electronically. It is not to be edited in any way without express consent of KGB.TO. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email particle.bored@kgb.to for permission.