DUportal Password Database Disclosure

2003-12-18T06:24:20
ID OSVDB:3776
Type osvdb
Reporter OSVDB
Modified 2003-12-18T06:24:20

Description

Vulnerability Description

DUportal contains a flaw that allows a remote attacker to access the user database file which contains unencrypted passwords. Due to the lack of encryption and availability of the database file to remote attackers, this would allow every user account to be compromised.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Change the permissions so that remote users can not access the DUportal.mdb file.

Short Description

DUportal contains a flaw that allows a remote attacker to access the user database file which contains unencrypted passwords. Due to the lack of encryption and availability of the database file to remote attackers, this would allow every user account to be compromised.

Manual Testing Notes

http://[victim]/database/DUportal.mdb

References:

Vendor URL: http://www.duware.com/products/category.asp?iCat=8&nCat=Portal%20&%20Site Secunia Advisory ID:10456 Related OSVDB ID: 3071 Related OSVDB ID: 3772 Related OSVDB ID: 3774 Related OSVDB ID: 3775 Related OSVDB ID: 3773 Related OSVDB ID: 3269 Other Advisory URL: http://archives.neohapsis.com/archives/bugtraq/2003-12/0239.html ISS X-Force ID: 14016 Generic Exploit URL: http://www.gulftech.org/vuln/DUd3.html Bugtraq ID: 9246