Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPacket StormPACKETSTORM:12174
HistoryAug 17, 1999 - 12:00 a.m.

testtrack.passwd.dos.txt

1999-08-1700:00:00
Packet Storm
packetstormsecurity.com
19
JSON
`Date: Mon, 8 Mar 1999 10:58:17 -0500  
From: Fabien Royer <[email protected]>  
To: [email protected]  
Subject: Password and DOS Vulnerability with Testrack (bug tracking software)  
  
  
TestTrack, a bug tracking software made by Seapine Software  
(http://www.seapine.com) has a number of security problems that allow an  
attacker to acquire userids and passwords in clear text. TestTrack also has  
an implementation flaw that allows anyone to peg the CPU of the machine  
running the TestTrack server to 100%.  
  
I notified Seapine of this issue 30 days ago but they never bothered to  
answer my emails.  
  
Here follows the email that I sent to the Seapine sales rep handling my  
evaluation of the product:  
  
- - - - - - - - - - - - - - - - - - - - -  
  
Richard,  
  
After conducting a short evaluation of TestTrack WEB, I have decided not to  
move forward with the purchase of the product.  
  
The main reason for my decision is the lack of robustness of the components  
(ttcgi.exe and TestTrackWeb.exe).  
  
I was able to remotely break the TestTrack server and peg the CPU of the  
server hosting it at 100%.  
  
Here's how: using telnet, connect to port 99 of the TestTrack server, then  
disconnect without typing any data. As soon as you disconnect, the CPU jumps  
to 100%. The only way to get it back down is to kill the TestTrack server  
>from the task manager.  
  
I was able to reproduce the same thing with ttcgi.exe. Login to the  
TestTrack server using the web interface and start working normally. While  
working from the WEB browser, connect to port 99 of the TestTrack server  
using telnet and do nothing. From the WEB browser, attempt any operation,  
like adding a new bug report. As soon as you add, the WEB browser sits  
there, because the telnet connection is blocking it. The TestTrack server is  
not capable of processing more than one request at a time.  
  
Now, if you stop the activity of the WEB browser, you will see in the task  
manager that the ttcgi.exe process is still there! If I attempt the same  
operation again, a new ttcgi.exe process will be created, and so on and so  
on... I created 10 of them like this.  
  
Needless to say that if I decided to create a simple script creating a few  
thousand requests like this, I'd be able to exhaust the resources of the NT  
server in a few seconds and very likely crash it.  
  
At this point, if you disconnect the telnet session, the TestTrack server  
jumps to 100% and remains there. All the ttcgi.exe processes on the WEB  
server are still there. It's only after killing the TestTrack server that  
they finally go away.  
  
But in some cases during my tests, I was able to cause the ttcgi.exe to be  
pegged at 100%. Since this process was spawned by IIS, and was running as  
system, I could not kill it. I could not stop IIS either, leaving me only  
with the option to reboot NT. I would have had the same problem if I had  
executed TestTrackWeb.exe under ServerAny.  
  
Finally, under the \scripts directory, I noticed that ttcgi.exe creates a  
log file by default. This log file contains all the commands issued from  
ttcgi.exe to TestTrackWEB.exe, including clear text login information! See  
for yourself below. This is the same problem as the clear text user IDs and  
passwords in the project files.  
  
Command=Login&database=&uname=fabienr&pword=qwert123456&startat=Defects&subm  
it=Login <---- Ouch!  
  
command=RecordList&cookie=0022e88b&from=1&table=user  
  
Command=UserListAction&cookie=0022e88b&RecordsPerPage=20&SEL01=1&listaction_  
makecustomer.x=46&listaction_makecustomer.y=10  
  
Because of these flaws capable of causing a complete denial of service on  
the machine running your software and a security breach because of the  
presence of clear text passwords, I cannot proceed any further with  
purchasing the product.  
  
Given the serious nature of these problems, I will post a report to  
NTBugTraq (http://www.ntbugtraq.com) in 30 days. This should give you more  
than enough time to fix these problems.  
  
Best regards,  
  
Fabien.  
  
-----------------------------------------------------------------------------  
  
Date: Wed, 16 Jun 1999 11:14:06 -0400  
From: Richard Clyde <[email protected]>  
To: [email protected]  
Subject: Password and DOS Vulnerability with Testrack (bug tracking software)  
  
NTBUGTRAQ Item #2136 had reported several security issues in TestTrack Web (a bug tracking software). These security issues  
have all been addressed in version 1.2.0 of TestTrack Web. A free upgrade to version 1.2.0 is available via the web at  
www.seapine.com.  
  
The user IDs and passwords are encrypted in the database for added security. The CGI program has been modified to block  
attempts to peg the CPU of the TestTrack server through the use of telnet. A log file is no longer generated by the TestTrack  
Web application.  
  
Seapine Software has also taken steps to improve its customer support. The customer support group did not grow quickly enough  
in response to the success of the TestTrack product. Over the past five months, Seapine Software has hired additional technical  
support personnel and has focused on improving customer support response time.  
  
`
JSON