BadBlue Discloses User and Administrator Passwords to Local Users
|
|
SecurityTracker Alert ID: 1007451
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 10 2003
|
Impact: Disclosure of authentication information
|
Version(s): Personal Edition 2.4
|
Description: CyberTalon reported a vulnerability in the BadBlue web server. A local user can view passwords, including the administrator's password.
It is reported that the server stores usernames and passwords in clear text form in the 'ext.ini' file.
|
Impact: A local user can view web server passwords.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.badblue.com/ (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Windows (Any)
|
Reported By: cyber talon <cyber_talon@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 10 Aug 2003 00:57:07 -0300
From: cyber talon <cyber_talon@hotmail.com>
Subject: BadBlue PE 2.4 Local Password Vulnerability
|
BadBlue PE 2.4 Local Password Vulnerability
Found by: CyberTalon
1. Intro
2. Problem
3. Solution
4. Ending
5. Info
1. I have found a local password vulnerability in BadBlue PE 2.4.
2. BabBlue stores all the usernames and passwords in ext.ini, towards the
bottom in the format as follows:
user1=admin•password
user2=cybertalon•p4ssword
user3=talon•cyberpass
etc, etc, etc...
3. In future versions, it would be nice to use encryption when storing
sensitive data as such.
4. Providing the attacker could access the BadBlue folder, they could read
this file therefore obtaining all the usernames and passwords of the server.
5. Vendor URL: www.badblue.com
-CT
_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail
|
|
