FreeBSD : mailman -- generated passwords are poor quality (b3cd00f7-c0c5-452d-87bc-086c5635333e)

This script is Copyright (C) 2005-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

Florian Weimer wrote :

Mailman 2.1.5 uses weak auto-generated passwords for new subscribers.
These passwords are assigned when members subscribe without specifying
their own password (either by email or the web frontend). Knowledge of
this password allows an attacker to gain access to the list archive
even though she's not a member and the archive is restricted to
members only. [...]

This means that only about 5 million different passwords are ever
generated, a number that is in the range of brute-force attacks -- you
only have to guess one subscriber address (which is usually not that
hard).

See also :

http://www.nessus.org/u?33ef4805
http://www.nessus.org/u?f87b3a18
http://www.nessus.org/u?e4041c29

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 19088 (freebsd_pkg_b3cd00f7c0c5452d87bc086c5635333e.nasl)

Bugtraq ID:

CVE ID: CVE-2004-1143

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now