gurgens21.txt

`Update:  
1:02 AM 5/13/2005  
  
  
Subject:  
" Gurgens Guest Book Password Database Vulnerability "  
  
  
Vulnerable version:  
Guest Book 2.1   
  
  
  
  
Description:  
Guest Book is a complete solution which requires none or very little effort to set up and   
match existing website configuration. Control Panel with "Virtual Designer" allows   
complete Guest Book design build on the client side   
The idea behind this “Guest Book” is, to store message records in a text file.   
Although, compare to ADO, it's a bit complicated to retrieve and set individual   
records in the text file, this method seems to be quicker.Messages are stored in   
a text file “guestrecord.txt”. This file if fully administrable through “admin.asp “   
page.   
  
  
  
  
Vulnerability:  
The application has stored database for Administration on the directory called  
'db/',uses filetype .DAT extention as 'Genid.DAT'.The credentials are stored encrypted   
in another text file "Genid.dat".A vulnerability on this application  
that make password can be take by browser(download),then use program encryption  
to descrypt the password/username .The password and username was encrypted and   
save it as 'Genit.DAT'.  
  
Sample source:  
  
ElseIF flag = 1 then  
Set objFile = CreateObject("Scripting.FileSystemObject")  
Password = Trim(Request.form("Password"))  
UserID = Trim(Request.form("UserID"))  
passFile = server.mappath("db\Genid.dat")'A vulnerable line  
Set passGet=objFile.OpenTextFile(passFile, 1)  
  
  
DUserID = passGet.ReadLine  
DecryptUserID = CryptText(DUserID, "$u@gess", True)  
DPass = passGet.ReadLine 'String "$u@gess" is a crypt key  
DecryptPassword = CryptText(DPass, "$u@gess", True)  
passGet.Close  
  
  
Here a vulnerable Administration Database;  
  
passFile = server.mappath("db\Genid.dat")  
  
Execute URL 'http://localhost/db/Genit.dat',then we go to download files  
,use notepad to open file;  
  
User name :  
Ö¤ÔÎáܗé²ÈÙâå <-------  
|  
Password = |  
å¡ÚØêâ–Ù <------|  
|  
--------------------------  
|  
|  
|  
------ > 'Open 'Genid.dat' on directory 'db' ,  
then use SEDT tools to sure descrypt the files 'Genit.dat'  
  
  
  
  
Solution:  
Modify or rename "db\Genid.dat" to another name,sample:  
(..)  
UserID = Trim(Request.form("UserID"))  
passFile = server.mappath("db\Genid.dat")'A vulnerable line  
'server.mappath("db\Genid.dat") modify to server.mappath("somepage\filename.dat")  
(..)  
Other else Change String "$u@gess" it at your will. But make sure it's the same   
on the "reset.asp" page.  
  
  
  
  
Vendor URL:  
http://www.gurgensvbstuff.com  
  
  
  
  
Security Audit Tools:  
http://user.7host.com/stardawn/files/sedt.zip  
  
  
  
  
Credits:  
Published by - basher13[[email protected]]  
  
--   
`