SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Join our Affiliate Program
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Forum/Board/Portal)  >  Forum (MPCSoftWeb) Vendors:  MPCSoftWeb
MPCSoftWeb Forum Access Control Flaw Discloses Administrator and User Passwords to Remote Users
SecurityTracker Alert ID:  1007568
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 26 2003
Impact:  Disclosure of authentication information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Description:  CyberTalon reported a vulnerability in MPCSoftWeb's Forum software. A remote user can view the administrator's password, as well as passwords for Forum users.

It is reported that the Forum stores the passwords for all Forum users, including the administrator, in the 'databases/mpcsoftweb_forum.mdb' file. A remote user can request the file and view the passwords, according to the report.

A demonstration exploit URL is provided:

http://[target]/forumfolder/data bases/mpcsoftweb_forum.mdb
Impact:  A remote user can view Forum usernames and passwords.
Solution:  No solution was available at the time of this entry.

The report indicates that, as a workaround, you can use web server access controls to hide the 'mpcsoftweb_forum.mdb' file.
Vendor URL:  www.mpcsoftweb.co.uk/pages/mpcsoftweb_forum.asp (Links to External Site)
Cause:  Access control error
Underlying OS:  Windows (Any)
Reported By:  cyber talon <cyber_talon@hotmail.com>
Message History:   None.

 Source Message Contents
Date:  Mon, 25 Aug 2003 12:47:38 -0300
From:  cyber talon <cyber_talon@hotmail.com>
Subject:  mpcsoftweb Forum discloses the database of usernames and passwords

 

    mpcsoftweb Forum discloses the database of usernames and passwords
                        Found by: CyberTalon

1. Problem
2. Exploit
3. Solution
4. Info

1. mpcsoftweb Forum stores all the usernames and passwords of the forum
including the administrators in databases/mpcsoftweb_forum.mdb , which is
downloadable thru the web from remote users.

2. www.siterunningtheforum.com/forumfolder/databases/mpcsoftweb_forum.mdb

3. Hide mpcsoftweb_forum.mdb .

4. Vendor URL: http://www.mpcsoftweb.co.uk/pages/mpcsoftweb_forum.asp

-CT

_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*
http://join.msn.com/?page=features/virus


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC