Info

Disclosure

Jan 06, 2007

Discovery

Aug 01, 2001

Dates

Exploit

Unknown

Solution

Unknown

Description

The Meridian Integrated Personal Call Director (MIPCD) contains a flaw that may lead to an unauthorized password exposure. It is possible to gain remote access to the /LOGIN.PWD and /USER/CONFIG.AP files through the web interface. These files contain the user names and encrypted passwords for all MIPCD users (including the administrator account), which may lead to a loss of confidentiality.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified
OSVDB: Web Related

Solution

Upgrade to version 1.5 (11-19-2002) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Nortel Networks

MIPCD

1.04

References

Related OSVDB ID: 31151 31152
Vendor Specific News/Changelog Entry: http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=software&tranProduct=9298

Credit

Sullo - sullocirt.net - cirt.net

Direct URL: http://osvdb.org/31150