NAI PGP Keyserver Web Administration Interface Authentication Bypassing Vulnerability

NAI PGP Keyserver Web Administration Interface Authentication Bypassing Vulnerability

PGP Keyserver is a commercially available encryption software package from Network Associates. It is designed as a PGP public key management system, with features such as LDAP.

A problem in the PGP key server makes it possible for remote users to gain administrative access to the interface. Typical administration of the interface passes commands through the http://www.example.com/keyserver/cgi-bin/console.exe?page_size=... and http://www.example.com/keyserver/cgi-bin/cs.exe?action=... commands. These commands, however, may be directly accessed without authentication from the user.

This makes it possible for a remote user to deny service to a legitimate user of the system. This could also potentially result in a malicious user replacing PGP Keys with malicious keys, and gaining access to sensitive information.