`Date: Mon, 8 Mar 1999 10:58:17 -0500
From: Fabien Royer <[email protected]>
To: [email protected]
Subject: Password and DOS Vulnerability with Testrack (bug tracking software)
TestTrack, a bug tracking software made by Seapine Software
(http://www.seapine.com) has a number of security problems that allow an
attacker to acquire userids and passwords in clear text. TestTrack also has
an implementation flaw that allows anyone to peg the CPU of the machine
running the TestTrack server to 100%.
I notified Seapine of this issue 30 days ago but they never bothered to
answer my emails.
Here follows the email that I sent to the Seapine sales rep handling my
evaluation of the product:
- - - - - - - - - - - - - - - - - - - - -
Richard,
After conducting a short evaluation of TestTrack WEB, I have decided not to
move forward with the purchase of the product.
The main reason for my decision is the lack of robustness of the components
(ttcgi.exe and TestTrackWeb.exe).
I was able to remotely break the TestTrack server and peg the CPU of the
server hosting it at 100%.
Here's how: using telnet, connect to port 99 of the TestTrack server, then
disconnect without typing any data. As soon as you disconnect, the CPU jumps
to 100%. The only way to get it back down is to kill the TestTrack server
>from the task manager.
I was able to reproduce the same thing with ttcgi.exe. Login to the
TestTrack server using the web interface and start working normally. While
working from the WEB browser, connect to port 99 of the TestTrack server
using telnet and do nothing. From the WEB browser, attempt any operation,
like adding a new bug report. As soon as you add, the WEB browser sits
there, because the telnet connection is blocking it. The TestTrack server is
not capable of processing more than one request at a time.
Now, if you stop the activity of the WEB browser, you will see in the task
manager that the ttcgi.exe process is still there! If I attempt the same
operation again, a new ttcgi.exe process will be created, and so on and so
on... I created 10 of them like this.
Needless to say that if I decided to create a simple script creating a few
thousand requests like this, I'd be able to exhaust the resources of the NT
server in a few seconds and very likely crash it.
At this point, if you disconnect the telnet session, the TestTrack server
jumps to 100% and remains there. All the ttcgi.exe processes on the WEB
server are still there. It's only after killing the TestTrack server that
they finally go away.
But in some cases during my tests, I was able to cause the ttcgi.exe to be
pegged at 100%. Since this process was spawned by IIS, and was running as
system, I could not kill it. I could not stop IIS either, leaving me only
with the option to reboot NT. I would have had the same problem if I had
executed TestTrackWeb.exe under ServerAny.
Finally, under the \scripts directory, I noticed that ttcgi.exe creates a
log file by default. This log file contains all the commands issued from
ttcgi.exe to TestTrackWEB.exe, including clear text login information! See
for yourself below. This is the same problem as the clear text user IDs and
passwords in the project files.
Command=Login&database=&uname=fabienr&pword=qwert123456&startat=Defects&subm
it=Login <---- Ouch!
command=RecordList&cookie=0022e88b&from=1&table=user
Command=UserListAction&cookie=0022e88b&RecordsPerPage=20&SEL01=1&listaction_
makecustomer.x=46&listaction_makecustomer.y=10
Because of these flaws capable of causing a complete denial of service on
the machine running your software and a security breach because of the
presence of clear text passwords, I cannot proceed any further with
purchasing the product.
Given the serious nature of these problems, I will post a report to
NTBugTraq (http://www.ntbugtraq.com) in 30 days. This should give you more
than enough time to fix these problems.
Best regards,
Fabien.
-----------------------------------------------------------------------------
Date: Wed, 16 Jun 1999 11:14:06 -0400
From: Richard Clyde <[email protected]>
To: [email protected]
Subject: Password and DOS Vulnerability with Testrack (bug tracking software)
NTBUGTRAQ Item #2136 had reported several security issues in TestTrack Web (a bug tracking software). These security issues
have all been addressed in version 1.2.0 of TestTrack Web. A free upgrade to version 1.2.0 is available via the web at
www.seapine.com.
The user IDs and passwords are encrypted in the database for added security. The CGI program has been modified to block
attempts to peg the CPU of the TestTrack server through the use of telnet. A log file is no longer generated by the TestTrack
Web application.
Seapine Software has also taken steps to improve its customer support. The customer support group did not grow quickly enough
in response to the success of the TestTrack product. Over the past five months, Seapine Software has hired additional technical
support personnel and has focused on improving customer support response time.
`