ultimatedisclose.txt

2005-08-14T00:00:00
ID PACKETSTORM:39259
Type packetstorm
Reporter basher13
Modified 2005-08-14T00:00:00

Description

                                        
                                            `Update:  
12:15 AM 5/14/2005  
  
Subject:  
" Ultimate Forum Password Database Vulnerability "  
  
  
Vulnerable version:  
Ultimate Forum 1.0  
  
  
  
  
Description:  
Ultimate forum is an Open forum i.e. no logon restrictions or private areas.  
Forum is a text file based. Each forum is multithreaded and stored in a separate   
text file in the folder db/Forums. All of the forum management should be done via   
administration page “admin.asp”.  
  
  
  
  
  
Vulnerability:  
The application has stored database for Administration on the directory called  
'db/',uses filetype .DAT extention as 'Genid.DAT'.The credentials are stored encrypted   
in another text file "Genid.dat".A vulnerability on this application  
that make password can be take by browser(download),then use program encryption  
to descrypt the password/username .The password and username was encrypted and   
save it as 'Genit.DAT'.  
  
  
Sample source:  
  
(..)  
EncryptUserID = CryptText(name, "$u@gess", False)  
EncryptPassword = CryptText(pass, "$u@gess", False)  
passFile = server.mappath("db\Genid.dat")  
(..)  
  
  
Here a vulnerable Administration Database;  
  
passFile = server.mappath("db\Genid.dat")  
  
Execute URL 'http://localhost/db/Genit.dat',then we go to download files  
,use notepad to open file;  
  
  
User name :  
Ö¤ÔÎáܗé²ÈÙâå <-------  
|  
Password : |  
å¡ÚØêâ–Ù <------|  
|  
---------------------  
|  
|  
------ > 'Open 'Genid.dat' at directory 'db' ,  
then use SEDT tools to sure descrypt for the files 'Genit.dat'  
  
  
  
  
Solution:  
Modify or rename "db\Genid.dat" to another name,sample:  
(..)  
EncryptUserID = CryptText(name, "$u@gess", False)  
EncryptPassword = CryptText(pass, "$u@gess", False)  
passFile = server.mappath("db\Genid.dat")'A vulnerable line  
'server.mappath("db\Genid.dat") modify to 'server.mappath("somepage\filename.dat")  
(..)  
Other else change string "$u@gess" is a crypt key. Change it at your will.   
But make sure it's the same on the "commit.asp" page.  
  
  
  
  
Vendor URL:  
http://www.gurgensvbstuff.com  
  
  
  
Security Audit Tools:  
http://user.7host.com/stardawn/files/sedt.zip  
  
  
  
  
Credits:  
Published by - basher13[basher13@linuxmail.org]  
  
--   
`