SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Forum/Board/Portal)  >   Forum (MPCSoftWeb) Vendors:   MPCSoftWeb
MPCSoftWeb Forum Access Control Flaw Discloses Administrator and User Passwords to Remote Users
SecurityTracker Alert ID:  1007568
SecurityTracker URL:  http://securitytracker.com/id/1007568
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 26 2003
Impact:   Disclosure of authentication information, Disclosure of user information, User access via network
Exploit Included:  Yes  

Description:   CyberTalon reported a vulnerability in MPCSoftWeb's Forum software. A remote user can view the administrator's password, as well as passwords for Forum users.

It is reported that the Forum stores the passwords for all Forum users, including the administrator, in the 'databases/mpcsoftweb_forum.mdb' file. A remote user can request the file and view the passwords, according to the report.

A demonstration exploit URL is provided:

http://[target]/forumfolder/databases/mpcsoftweb_forum.mdb
Impact:   A remote user can view Forum usernames and passwords.
Solution:   No solution was available at the time of this entry.

The report indicates that, as a workaround, you can use web server access controls to hide the 'mpcsoftweb_forum.mdb' file.
Vendor URL:  www.mpcsoftweb.co.uk/pages/mpcsoftweb_forum.asp (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Mon, 25 Aug 2003 12:47:38 -0300
Subject:  mpcsoftweb Forum discloses the database of usernames and passwords


    mpcsoftweb Forum discloses the database of usernames and passwords
                        Found by: CyberTalon

1. Problem
2. Exploit
3. Solution
4. Info

1. mpcsoftweb Forum stores all the usernames and passwords of the forum
including the administrators in databases/mpcsoftweb_forum.mdb , which is
downloadable thru the web from remote users.

2. www.siterunningtheforum.com/forumfolder/databases/mpcsoftweb_forum.mdb

3. Hide mpcsoftweb_forum.mdb .

4. Vendor URL: http://www.mpcsoftweb.co.uk/pages/mpcsoftweb_forum.asp

-CT

_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*
http://join.msn.com/?page=features/virus


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC