Gurgens Guest Book Discloses Database and Passwords to Remote Users
|
|
SecurityTracker Alert ID: 1013976
|
|
SecurityTracker URL: http://securitytracker.com/id?1013976
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 16 2005
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Version(s): 2.1
|
Description: A vulnerability was reported in Gurgens Guest Book. A remote user can access the database.
A remote user can access the 'Genid.dat' file in the 'db' directory and then decrypt the passwords in the file.
A demonstration exploit URL is provided:
http://[target]/db/Genit.dat
basher13 reported this vulnerability.
|
Impact: A remote user can access the database and decrypt the passwords.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.gurgensvbstuff.com/ (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Windows (Any)
|
Reported By: "eric basher" <basher13@linuxmail.org>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 15 May 2005 20:42:51 +0800
From: "eric basher" <basher13@linuxmail.org>
Subject: [Full-disclosure] Gurgens Guest Book Password Database Vulnerability
|
Update:
1:02 AM 5/13/2005
Subject:
" Gurgens Guest Book Password Database Vulnerability "
Vulnerable version:
Guest Book 2.1
Description:
Guest Book is a complete solution which requires none or very little effort to set up and
match existing website configuration. Control Panel with "Virtual Designer" allows
complete Guest Book design build on the client side
The idea behind this “Guest Book” is, to store message records in a text file.
Although, compare to ADO, it's a bit complicated to retrieve and set individual
records in the text file, this method seems to be quicker.Messages are stored in
a text file “guestrecord.txt”. This file if fully administrable through “admin.asp “
page.
Vulnerability:
The application has stored database for Administration on the directory called
'db/',uses filetype .DAT extention as 'Genid.DAT'.The credentials are stored encrypted
in another text file "Genid.dat".A vulnerability on this application
that make password can be take by browser(download),then use program encryption
to descrypt the password/username .The password and username was encrypted and
save it as 'Genit.DAT'.
Sample source:
ElseIF flag = 1 then
Set objFile = CreateObject("Scripting.FileSystemObject")
Password = Trim(Request.form("Password"))
UserID = Trim(Request.form("UserID"))
passFile = server.mappath("db\Genid.dat")'A vulnerable line
Set passGet=objFile.OpenTextFile(passFile, 1)
DUserID = passGet.ReadLine
DecryptUserID = CryptText(DUserID, "$u@gess", True)
DPass = passGet.ReadLine 'String "$u@gess" is a crypt key
DecryptPassword = CryptText(DPass, "$u@gess", True)
passGet.Close
Here a vulnerable Administration Database;
passFile = server.mappath("db\Genid.dat")
Execute URL 'http://localhost/db/Genit.dat',then we go to download files
,use notepad to open file;
User name :
Ö¤ÔÎáÜ—é²ÈÙâå <-------
|
Password = |
å¡ÚØêâ–Ù <------|
|
--------------------------
------ > 'Open 'Genid.dat' on directory 'db' ,
then use SEDT tools to sure descrypt the files 'Genit.dat'
Solution:
Modify or rename "db\Genid.dat" to another name,sample:
(..)
UserID = Trim(Request.form("UserID"))
passFile = server.mappath("db\Genid.dat")'A vulnerable line
'server.mappath("db\Genid.dat") modify to server.mappath("somepage\filename.dat")
(..)
Other else Change String "$u@gess" it at your will. But make sure it's the same
on the "reset.asp" page.
Vendor URL:
http://www.gurgensvbstuff.com
Security Audit Tools:
http://user.7host.com/stardawn/files/sedt.zip
Credits:
Published by - basher13[basher13@linuxmail.org]
--
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.
Powered by Outblaze
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
|
|
