Security researchers have found a flaw in a popular digital-certificate management product that could enable an attacker to access a remote key server without having to enter a username or password.
The vulnerability in PGP Key Server 7.0 enables an attacker to make configuration changes to the server but does not give him access to the stored keys or any of the data that those keys protect.
By entering a malformed Web URL, an attacker can bypass the usual authentication mechanism needed to access the Key Server administrative interface. The attacker could then reconfigure the server, including disabling it entirely, according to a bulleting released by PGP, a division of Network Associates Inc., in Santa Clara, Calif.
The flaw affects only Version 7.0 of Key Server but is found in both the Windows NT and Solaris versions.
Key Server is a certificate storage and management package that is used in conjunction with encryption software to manage the use and distribution of digital certificates.
PGP has posted to its Web site a fix for the new vulnerability.