lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20111215102447.GD14511@X200s-1.atalante.redteam-pentesting.de>
Date: Thu, 15 Dec 2011 11:24:47 +0100
From: RedTeam Pentesting GmbH <release@...team-pentesting.de>
To: full-disclosure@...ts.grok.org.uk
Subject: [RT-SA-2011-006] Owl Intranet Engine: Information
 Disclosure and Unsalted Password Hashes

Advisory: Owl Intranet Engine: Information Disclosure and Unsalted Password Hashes

The Owl Intranet Engine uses no salting in the password hashing
procedure. Furthermore, users in the "Administrators" group are able to
see the MD5 password hashes of every user using the web interface.


Details
=======

Product: Owl Intranet Engine
Affected Versions: 1.01, possibly all older versions
Fixed Versions: none
Vulnerability Type: Information Disclosure, Unsalted Password Hashes
Security Risk: low
Vendor URL: http://owl.anytimecomm.com
Vendor Status: decided not to fix
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-006
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction
============

"Owl is a multi user document repository (knowledge base) system written
in PHP for publishing files/documents onto the web for a corporation,
small business, group of people, or just for yourself."

(From the vendor's homepage)


More Details
============

The administrative interface of the Owl Intranet Engine allows users in
the "Administrators" group to edit user accounts over the "Users&Groups"
tab. If a user is selected for editing, all account information is
shown. In this overview, the password field is filled with the MD5 hash
value of the old user password, as can be seen in the HTML sources.
This allows users with administrative access to the Owl Intranet Engine
to see the password hashes of every user. 

Furthermore, no salting is used when the password hashes are generated,
allowing a rainbow tables attack against user passwords.


Fix
===

None.


Security Risk
=============

This vulnerability allows administrative users to collect the MD5
password hashes of every user of the affected Owl Intranet Engine system
through the administrative interface. Because no salting is employed, a
rainbow tables attack can be run against the collected password hashes
and the password values can possibly be recovered in a short time. The
risk potential is however deemed to be low, as users with administrative
access to the OWL Intranet Engine already have extensive access rights.


History
=======

2011-05-29 Vulnerability identified
2011-07-26 Customer approved disclosure to vendor
2011-10-31 Vendor notified
2011-11-30 Vendor releases new version that does not fix the issue
2011-12-15 Advisory released


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
http://www.redteam-pentesting.de.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ