[原文]The Web Reports Server for SurfControl SuperScout WebFilter stores the "scwebusers" username and password file in a web-accessible directory, which allows remote attackers to obtain valid usernames and crack the passwords.
SurfControl SuperScout Web Filter User Accounts Information Disclosure
Loss of Confidentiality
SurfControl web filters contain a flaw that allows a remote attacker gain username and password information. The issue is due to the web filter leaving the user file accessable to anyone via the web. Usernames are stored in plaintext while the passwords are encrypted.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workarounds: Disable the reports server and consider using a terminal session to the server to access the reports.
Vulnerability discovery credited to Matt Moore <email@example.com>.
SurfControl Web Filter for Windows NT/2000 4.1
SurfControl Web Filter for Windows NT/2000 4.0
SurfControl SuperScout Web Filter for Windows NT/2000 3.0.3
SurfControl SuperScout Web Filter for Windows NT/2000 3.0
SurfControl SuperScout WebFilter is web filtering software for Microsoft Windows operating systems. SurfControl SuperScout WebFilter includes a remotely accessible reporting service.
It has been reported that SuperScout WebFilter insecurely stores some types of information. The reports server included as part of the SuperScout WebFilter package stores sensitive information in a publicly accessible, unrestricted directory. A remote user could gain access to user credentials.
No exploit is required for this vulnerability.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.