lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <001601c329cf$1fef6e60$1c000014@PBH>
From: support at ircxpro.com (IRCXpro Support)
Subject: Re: IRCXpro 1.0 - Clear local and default remote admin passwords

To whom it concerns,

Regarding the vulnerability in the advisory for IRCXpro 1.0

They are of minuscule threat and not worth the attention.

Vulnerability(s):
1. Local clear passwords

Our Reply: It is common place for all IRC Server applications to store clear
passwords in the IRCD.config files.  The nature of the program is for it to
be used by Remote Users, NOT local ones.

2. Remote default admin enabled
Our Reply: The user is prompted before the server starts for the first time
to set their own Operator Name and Password during the Initial Wizard for
their administrator account.  (See initial.gif file attachment)

The fragment >> Serv.LogonSettings "LocalHost", 7100, "admin", "password" <<
is from a sample .ASP page found in the IRCXpro SDK (Software Development
Kit).  In order for this sample to work, the real operator name and password
needs to be inserted before being placed on IIS (Internet Information
Services).

Regards,
IRCXpro Support
Quality On Line Ltd

----- Original Message ----- 
From: "morning_wood" <se_cur_ity@...mail.com>
To: <bugtraq@...urityfocus.com>; <full-disclosure@...ts.netsys.com>;
<support@...xpro.com>; <sales@...xpro.com>
Sent: Tuesday, June 03, 2003 8:57 AM
Subject: IRCXpro 1.0 - Clear local and default remote admin passwords


> ------------------------------------------------------------------
>           - EXPL-A-2003-002 exploitlabs.com Advisory 002
> ------------------------------------------------------------------
>                           -=- IRCXpro 1.0 -=-
>
>
> Vunerability(s):
> ----------------
> 1.local clear passwords
> 2.remote default admin enabled
>
>
> Product:
> --------
> IRCXpro Server 1.0
> http://www.ircxpro.com
>
>
> Reviews:
> --------
> http://www.serverwatch.com/sreviews/article.php/1501261
> http://reviews.zdnet.co.uk/review/41/2/3418.html
>
>
> Description of product:
> -----------------------
> "IRCXpro is a feature rich Internet Relay-Chat (IRC/IRCX) Server
> that can provide the basis for an interactive online community.
>  Guests will be able to take part in conversation using either
> an Internet Browser chat client or 3rd party chat software."
>
>
> VUNERABILITY / EXPLOIT
> ======================
>
>
> Local:
> ------
> All passwords and user names are inside settings.ini ... in the clear
>
>
> Remote:
> -------
> Default Settings... Remote admin.
>
>
> Serv.LogonSettings "LocalHost", 7100, "admin", "password"
>
>
> Vendor Fix:
> -----------
> No fix on 0day
>
> Vendor Contact:
> ---------------
> sales@...xpro.com
> support@...xpro.com
>
> Concurrent with this advisory
>
> Credits:
> --------
>
> Donnie Werner
> http://exploitlabs.com "where finding your holes is job one, and plugging
> them twice the phun"
> morning_wood@...loitlabs.com
> Corporate Security Needs at http://fram4.com Security Systems
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Initial.gif
Type: image/gif
Size: 19223 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030603/8557de4d/Initial.gif

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ