Title: iPlanet Calendar Server Plaintext Admin Password Vulnerability
Severity: MODERATE
Description:
iPlanet's Calendar Server provides enterprise-wide calendar/planner sharing services.
Versions of Calendar Server store usernames, passwords and other sensitive information in a file which can be read by arbitrary local users.
By default, the target file, ics.conf, is located in /opt/SUNWics5/cal/bin/config/. It is used by iPlanet Calendar to store the NAS LDAP database administrative username and password in plaintext form.
If obtained by a malicious user, this data may grant a remote user administrative access to the Netscape Application Server's LDAP (Lightweight Directory Access Protocol) database. The LDAP database stores user account information, access control lists, authentication certificates and other confidential data. By gaining access to this database, an attacker may effect further breaches of the host's security.
Affected Products:
- iPlanet Calendar Server 2.1.0
- iPlanet Calendar Server 2.1.0p1
- iPlanet Calendar Server 2.1.0p2
- iPlanet Calendar Server 2.1.0p3
- iPlanet Calendar Server 5.0.0p1
- iPlanet Calendar Server 5.0.0p2
References:
- iPlanet: iPlanet Calendar Server homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
