SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Join our Affiliate Program
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Forum/Board/Portal)  >  paBox Vendors:  PHP Arena
paBox May Disclose the Administrator's Password in a Cookie
SecurityTracker Alert ID:  1007540
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 20 2003
Impact:  Disclosure of authentication information
Exploit Included:  Yes  
Version(s): 1.6
Description:  CyberTalon reported an information disclosure vulnerability in paBox. A local or remote user may be able to view the administrator's password.

It is reported that the after successful authentication, the server stores the administrator's username and password in clear text in a cookie on the administrator's browser. A remote user that is monitoring the network can view the password. A local user may also be able to view the password.
Impact:  A remote user monitoring the network may be able to obtain the administrator's password.

A local user may be able to view the administrator's password.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.phparena.net/pabox.php (Links to External Site)
Cause:  Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  cyber talon <cyber_talon@hotmail.com>
Message History:   None.

 Source Message Contents
Date:  Wed, 20 Aug 2003 13:35:42 -0300
From:  cyber talon <cyber_talon@hotmail.com>
Subject:  paBox 1.6 stores admin's username and password in a plain-text cookie

 

  paBox 1.6 stores admin's username and password in a plain-text cookie
                           Found by: CyberTalon

1. Problem
2. Solution
3. Info

1. paBox 1.6 stores the administrator's username and password, in

plain-text in a cookie locally after logging in. Example:

cookie[user]
username
site.loggedinto.com/pabox/
1024
3544852096
29583074
1747320064
29582966
 
cookie[pass]
password
site.loggedinto.com/pabox/
1024
3544852096
29583074
1747420064
29582966
 


2. They need to use encrpytion when storing sensitive information like-so.

3. Vendors URL: http://www.phparena.net/pabox.php

-CT

_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC