IRCXpro 1.0 - Clear local and default remote admin passwords

2003-06-04T00:00:00
ID SECURITYVULNS:DOC:4643
Type securityvulns
Reporter Securityvulns
Modified 2003-06-04T00:00:00

Description


      - EXPL-A-2003-002 exploitlabs.com Advisory 002

                      -=- IRCXpro 1.0 -=-

Vunerability(s):

1.local clear passwords 2.remote default admin enabled

Product:

IRCXpro Server 1.0 http://www.ircxpro.com

Reviews:

http://www.serverwatch.com/sreviews/article.php/1501261 http://reviews.zdnet.co.uk/review/41/2/3418.html

Description of product:

"IRCXpro is a feature rich Internet Relay-Chat (IRC/IRCX) Server that can provide the basis for an interactive online community. Guests will be able to take part in conversation using either an Internet Browser chat client or 3rd party chat software."

VUNERABILITY / EXPLOIT

Local:

All passwords and user names are inside settings.ini ... in the clear

Remote:

Default Settings... Remote admin.

Serv.LogonSettings "LocalHost", 7100, "admin", "password"

Vendor Fix:

No fix on 0day

Vendor Contact:

sales@ircxpro.com support@ircxpro.com

Concurrent with this advisory

Credits:

Donnie Werner http://exploitlabs.com "where finding your holes is job one, and plugging them twice the phun" morning_wood@exploitlabs.com Corporate Security Needs at http://fram4.com Security Systems