lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 14 Dec 2003 20:04:26 -0000
From: JeiAr <security@...ftech.org>
To: bugtraq@...urityfocus.com
Subject: Issues In CGINews and CGIForum




Vendor  : Markus Triska
URL     : http://triskam.virtualave.net/cginews.html
Version : 1.07 And Possible Earlier & CGIForum 1.09
Risk    : Weak Encryption & Info Disclosure


Description:
CGINews is a multi-user Web site news posting system written in Perl. 
Main features include: adding, updating, and deleting news entries, 
multi-user functionality, sections, access levels, logs, 
highly-configurable layout, file upload, binary attachments and more.


Weak Password Encryption:
The CGI News program does not use DES, MD5 or any other one way crypt
algorithm. It instead uses a weak, decryptable method. Below is a script
that can easily decrypt the passwords found in the programs *.pwl files.
This issue is also present in CGIForum 1.09 by Markus Triska and can be 
used to decode CGIForum password files as well.

http://www.gulftech.org/vuln/cnc.txt



Information Disclosure Vulnerability:
By default the users log files are viewable. username/username.log The only
files not viewable by default are the .pwl files

Sat Dec 13 21:06:37 2003: jeiar changed password.
Sat Dec 13 21:10:21 2003: jeiar changed E-Mail/Syntax: test@...h/jeiar.
Sat Dec 13 21:10:54 2003: jeiar tried to change password.
Sat Dec 13 21:13:59 2003: jeiar uploaded file: C:\cmd.exe
Sat Dec 13 21:31:38 2003: jeiar uploaded file: C:\cnc.pl


Solution:
You can add your own DES or MD5 encryption if you are familiar with PERL, and to
solve the logfile problem simply add a .htaccess file that makes the directory
not viewable. For example

AuthType Basic
AuthName "No access"
AuthUserFile .htnopasswd
AuthGroupFile /dev/null
Require valid-user

The author plans on including this type of .htaccess file in future versions, but 
does not have any plans on changing or strengthening the encryption method.

Credits:
Credits go to JeiAr of the GulfTech Security Research Team. 
http://www.gulftech.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ