lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20050515124202.3AFC623D02@ws5-3.us4.outblaze.com>
Date: Sun May 15 13:50:45 2005
From: basher13 at linuxmail.org (eric basher)
Subject: Ultimate Forum  Password Database Vulnerability

Update:
12:15 AM 5/14/2005

Subject:
" Ultimate Forum  Password Database Vulnerability "


Vulnerable version:
Ultimate Forum 1.0




Description:
Ultimate forum is an Open forum i.e. no logon restrictions or private areas.
Forum is a text file based. Each forum is multithreaded and stored in a separate 
text file in the folder db/Forums. All of the forum management should be done via 
administration page ?admin.asp?.





Vulnerability:
The application has stored database for Administration  on the directory called
'db/',uses filetype .DAT extention as 'Genid.DAT'.The credentials are stored encrypted 
in another text file "Genid.dat".A vulnerability on this application
that make password can be take by browser(download),then use program encryption
to descrypt the password/username .The password and username was encrypted and 
save it as 'Genit.DAT'.


Sample source:

(..)
EncryptUserID = CryptText(name, "$u@...s", False)
	EncryptPassword = CryptText(pass, "$u@...s", False)
	passFile = server.mappath("db\Genid.dat")
(..)


Here a vulnerable Administration Database;

passFile = server.mappath("db\Genid.dat")

Execute URL 'http://localhost/db/Genit.dat',then we go to download files
,use notepad to open file;


User name :
?????????????     <-------
                         |
Password :               |
????????          <------|
			 |
     ---------------------
     |
     |
     ------ > 'Open 'Genid.dat' at directory 'db' ,
then use SEDT tools to sure descrypt for the files 'Genit.dat'




Solution:
Modify or rename "db\Genid.dat" to another name,sample:
(..)
EncryptUserID = CryptText(name, "$u@...s", False)
EncryptPassword = CryptText(pass, "$u@...s", False)
passFile = server.mappath("db\Genid.dat")'A vulnerable line
'server.mappath("db\Genid.dat") modify to 'server.mappath("somepage\filename.dat")
(..)
Other else change string "$u@...s" is a crypt key. Change it at your will. 
But make sure it's the same on the "commit.asp" page.




Vendor URL:
http://www.gurgensvbstuff.com



Security Audit Tools:
http://user.7host.com/stardawn/files/sedt.zip




Credits:
Published by - basher13[basher13@...uxmail.org]

-- 
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ