NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Full-Disclosure> 2005-05

[Full-disclosure] Ultimate Forum Password Database Vulnerability

From: eric basher (basher13linuxmail.org)
Date: Sun May 15 2005 - 07:42:02 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Update:
12:15 AM 5/14/2005

Subject:
" Ultimate Forum Password Database Vulnerability "

Vulnerable version:
Ultimate Forum 1.0

Description:
Ultimate forum is an Open forum i.e. no logon restrictions or private areas.
Forum is a text file based. Each forum is multithreaded and stored in a separate
text file in the folder db/Forums. All of the forum management should be done via
administration page “admin.asp”.

Vulnerability:
The application has stored database for Administration on the directory called
'db/',uses filetype .DAT extention as 'Genid.DAT'.The credentials are stored encrypted
in another text file "Genid.dat".A vulnerability on this application
that make password can be take by browser(download),then use program encryption
to descrypt the password/username .The password and username was encrypted and
save it as 'Genit.DAT'.

Sample source:

(..)
EncryptUserID = CryptText(name, "$ugess", False)
EncryptPassword = CryptText(pass, "$ugess", False)
passFile = server.mappath("db\Genid.dat")
(..)

Here a vulnerable Administration Database;

passFile = server.mappath("db\Genid.dat")

Execute URL 'http://localhost/db/Genit.dat',then we go to download files
,use notepad to open file;

User name :
Ö¤ÔÎáÜ—é²ÈÙâå <-------
                         |
Password : |
å¡ÚØêâ–Ù <------|
                         |
     ---------------------
     |
     |
     ------ > 'Open 'Genid.dat' at directory 'db' ,
then use SEDT tools to sure descrypt for the files 'Genit.dat'

Solution:
Modify or rename "db\Genid.dat" to another name,sample:
(..)
EncryptUserID = CryptText(name, "$ugess", False)
EncryptPassword = CryptText(pass, "$ugess", False)
passFile = server.mappath("db\Genid.dat")'A vulnerable line
'server.mappath("db\Genid.dat") modify to 'server.mappath("somepage\filename.dat")
(..)
Other else change string "$ugess" is a crypt key. Change it at your will.
But make sure it's the same on the "commit.asp" page.

Vendor URL:
http://www.gurgensvbstuff.com

Security Audit Tools:
http://user.7host.com/stardawn/files/sedt.zip

Credits:
Published by - basher13[basher13linuxmail.org]

--
_______________________________________________
Check out the latest SMS services http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]