Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ultimatedisclose.txt

🗓️ 14 Aug 2005 00:00:00Reported by basher13Type 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 29 Views

Ultimate Forum Password Database Vulnerability. Open text file based forum with encrypted credentials, vulnerable to password theft.

Code
`Update:  
12:15 AM 5/14/2005  
  
Subject:  
" Ultimate Forum Password Database Vulnerability "  
  
  
Vulnerable version:  
Ultimate Forum 1.0  
  
  
  
  
Description:  
Ultimate forum is an Open forum i.e. no logon restrictions or private areas.  
Forum is a text file based. Each forum is multithreaded and stored in a separate   
text file in the folder db/Forums. All of the forum management should be done via   
administration page “admin.asp”.  
  
  
  
  
  
Vulnerability:  
The application has stored database for Administration on the directory called  
'db/',uses filetype .DAT extention as 'Genid.DAT'.The credentials are stored encrypted   
in another text file "Genid.dat".A vulnerability on this application  
that make password can be take by browser(download),then use program encryption  
to descrypt the password/username .The password and username was encrypted and   
save it as 'Genit.DAT'.  
  
  
Sample source:  
  
(..)  
EncryptUserID = CryptText(name, "$u@gess", False)  
EncryptPassword = CryptText(pass, "$u@gess", False)  
passFile = server.mappath("db\Genid.dat")  
(..)  
  
  
Here a vulnerable Administration Database;  
  
passFile = server.mappath("db\Genid.dat")  
  
Execute URL 'http://localhost/db/Genit.dat',then we go to download files  
,use notepad to open file;  
  
  
User name :  
Ö¤ÔÎáܗé²ÈÙâå <-------  
|  
Password : |  
å¡ÚØêâ–Ù <------|  
|  
---------------------  
|  
|  
------ > 'Open 'Genid.dat' at directory 'db' ,  
then use SEDT tools to sure descrypt for the files 'Genit.dat'  
  
  
  
  
Solution:  
Modify or rename "db\Genid.dat" to another name,sample:  
(..)  
EncryptUserID = CryptText(name, "$u@gess", False)  
EncryptPassword = CryptText(pass, "$u@gess", False)  
passFile = server.mappath("db\Genid.dat")'A vulnerable line  
'server.mappath("db\Genid.dat") modify to 'server.mappath("somepage\filename.dat")  
(..)  
Other else change string "$u@gess" is a crypt key. Change it at your will.   
But make sure it's the same on the "commit.asp" page.  
  
  
  
  
Vendor URL:  
http://www.gurgensvbstuff.com  
  
  
  
Security Audit Tools:  
http://user.7host.com/stardawn/files/sedt.zip  
  
  
  
  
Credits:  
Published by - basher13[[email protected]]  
  
--   
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Aug 2005 00:00Current
7.4High risk
Vulners AI Score7.4
ultimate forumpassword databasevulnerabilityopen forumencrypted credentialscredentials theftsecurity audit toolsvendor url
29