Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score:Legacy ID
12 Dec 2012 Closed High CVSS v2: 8.3 SA71
By default, logging in to Reporter is performed over HTTP, allowing an attacker to gain access to the Administrator’s credentials and all session data. Disconnected login is also enabled by default thereby storing the Administrator’s LDAP password on Reporter.
All versions of Reporter prior to 9.4 are vulnerable. Windows, Linux, and Virtual Appliance versions are all vulnerable.
Reporter 9.3 – a fix is available in 188.8.131.52.
Reporter 9.2 and earlier – please upgrade to a later version.
Reporter 8.3 and earlier – please upgrade to a later version.
Additional Product Information
No CVE has been assigned at this time.
Reporter does not default secure when installed with the default configuration values.
By default, administrative connections go over a clear text channel (HTTP) allowing an attacker with access to the network to view, replay, and modify all login and session data.
Disconnected login is also enabled by default in 9.x releases.Disconnected login stores the password used by the Administrator locally with minimal obfuscation. An attacker who is able to de-obfuscate the password will thereby be able to log in to Reporter as the Administrator and will be able to log in to the configured LDAP directory.
Reporter 9.3 and later defaults to HTTPS for administrative connections and redirects HTTP connections to HTTPS. Reporter also disables disconnected login by default.
Configure Reporter to support HTTPS for management connections and always connect to Reporter over HTTPS. Disable disconnected login.
2012-12-12 Initial public release
This is machine translated content
Login to Subscribe
Please login to set up your
Would you like to be subscribed to future notifications for this article?
For security reasons, your link to this document has expired. Please click on the attachment link to access this file.
The attachment that you are looking for no longer exists.
There has been an issue retrieving your attachment. Please try again.
Currently server is down.
Didn't find the article you were looking for? Try these resources.