[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Gurgens Guest Book Password Database Vulnerability

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Gurgens Guest Book Password Database Vulnerability
From: "eric basher" <basher13@xxxxxxxxxxxxx>
Date: Sun, 15 May 2005 20:42:51 +0800

Update:
1:02 AM 5/13/2005


Subject:
" Gurgens Guest Book  Password Database Vulnerability "


Vulnerable version:
Guest Book 2.1 




Description:
Guest Book is a complete solution which requires none or very little effort to 
set up and 
match existing website configuration. Control Panel with "Virtual Designer" 
allows 
complete Guest Book  design build  on the client side  
The idea behind this ?Guest Book? is, to store message records in a text file. 
Although, compare to ADO, it's a bit complicated to retrieve and set individual 
records in the text file, this method seems to be quicker.Messages are stored 
in 
a text file ?guestrecord.txt?. This file if fully administrable through 
?admin.asp ? 
page.  




Vulnerability:
The application has stored database for Administration  on the directory called
'db/',uses filetype .DAT extention as 'Genid.DAT'.The credentials are stored 
encrypted 
in another text file "Genid.dat".A vulnerability on this application
that make password can be take by browser(download),then use program encryption
to descrypt the password/username .The password and username was encrypted and 
save it as 'Genit.DAT'.

Sample source:

ElseIF flag = 1 then
        Set objFile = CreateObject("Scripting.FileSystemObject")
        Password = Trim(Request.form("Password"))
        UserID = Trim(Request.form("UserID"))
        passFile = server.mappath("db\Genid.dat")'A vulnerable line
        Set passGet=objFile.OpenTextFile(passFile, 1)


        DUserID = passGet.ReadLine
        DecryptUserID = CryptText(DUserID, "$u@gess", True)
        DPass = passGet.ReadLine 'String "$u@gess" is a crypt key
        DecryptPassword = CryptText(DPass, "$u@gess", True)
        passGet.Close


Here a vulnerable Administration Database;

passFile = server.mappath("db\Genid.dat")

Execute URL 'http://localhost/db/Genit.dat',then we go to download files
,use notepad to open file;

User name :
Ö¤ÔÎáÜ?é²ÈÙâå     <-------
                         |
Password =               |
å¡ÚØêâ?Ù          <------|
                         |
--------------------------
|
|
|
------ > 'Open 'Genid.dat' on directory 'db' ,
then use SEDT tools to sure descrypt the files 'Genit.dat'




Solution:
Modify or rename "db\Genid.dat" to another name,sample:
(..)
UserID = Trim(Request.form("UserID"))
passFile = server.mappath("db\Genid.dat")'A vulnerable line
'server.mappath("db\Genid.dat") modify to 
server.mappath("somepage\filename.dat")
(..)
Other else Change String "$u@gess" it at your will. But make sure it's the same 
on the "reset.asp" page.




Vendor URL:
http://www.gurgensvbstuff.com




Security Audit Tools:
http://user.7host.com/stardawn/files/sedt.zip




Credits:
Published by - basher13[basher13@xxxxxxxxxxxxx]

-- 
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Ultimate Forum Password Database Vulnerability
Next by Date: RE: [Full-disclosure] RE: Bening Worms (Cosmin Stejerean)= Mutated
Previous by thread: [Full-disclosure] Ultimate Forum Password Database Vulnerability
Next by thread: [Full-disclosure] Microsoft's Security Response Center - The Videos
Index(es):
- Date
- Thread