PGP Key Server Flaw Opens Door to Attackers
A flaw in the popular digital-certificate management product could enable an attacker to access a remote key server without having to enter a username or password.Security researchers have found a flaw in a popular digital-certificate management product that could enable an attacker to access a remote key server without having to enter a username or password. The vulnerability in PGP Key Server 7.0 enables an attacker to make configuration changes to the server but does not give him access to the stored keys or any of the data that those keys protect.
By entering a malformed Web URL, an attacker can bypass the usual authentication mechanism needed to access the Key Server administrative interface. The attacker could then reconfigure the server, including disabling it entirely, according to a bulleting released by PGP, a division of Network Associates Inc., in Santa Clara, Calif.