Bugtraq mailing list archives
Wemilo
From: cassius () HUSHMAIL COM (cassius () HUSHMAIL COM)
Date: Sun, 30 Apr 2000 22:37:59 -0800
On every Cart32 installation I have looked at, cart32clientlist will accept any string or nothing at all. No password is required to view the client list and password hashes. Does hexing 'wemilo' out of the exe prevent this? Also, I have seen one site where they edited the HTML of cart32clientlist like this: <input type=password name="xxxxxxx"> This is useless and does not prevent anyone from creating a local copy with a full path to cart32.exe and a valid input field like this: <input type=password name="Cart32Password"> -Cassius
To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: Alert: Cart32 secret password backdoor (CISADV000427) Greetings, I have a client using cart32 2.6 so I went to the cart32clientlist url mentioned in the alert and sure enough if dumped the hashed password list. I high-tailed it over there and open up the cart32.exe and was
unable
to find the "wemilo" password anywhere. Now this could be my fault, heck I haven't touched a hex editor in ages, but still it prompted me to go
back
to the clientlist url and try some random charecters instead of "wemilo". Well, it happily dumped the client list again. Just to make sure it wasn't just me I went out on the web and tried it at several sites running cart32 (2.6 and 3.0) and all but one case it dumped the client list. The one that didn't show a list DID show the open database messages so I think maybe it just wasn't set up. I may be missing something here but it seems to me you don't have to even know the "backdoor password" to dump the client list and hashes. my 2 cents, -Bill
IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages. Get your FREE, totally secure email address at http://www.hushmail.com.
Current thread:
- Wemilo cassius () HUSHMAIL COM (Apr 30)
- pam_console bug Michal Zalewski (May 02)
- Re: pam_console bug Benjamin Smee (May 03)
- Re: pam_console bug Michal Zalewski (May 04)
- Re: pam_console bug Benjamin Smee (May 03)
- Re: Wemilo daedalus (May 02)
- Possible issue with Cisco on-line help? Fernando Montenegro (May 02)
- Re: Possible issue with Cisco on-line help? Fernando Montenegro (May 04)
- Re: Possible issue with Cisco on-line help? Lisa Napier (May 09)
- Re: Possible issue with Cisco on-line help? Fernando Montenegro (May 04)
- 4ward:It's a blue world! deepquest () NETSCAPE NET (May 02)
- Denial of service attack against tcpdump bretonh () PARANOIA PGCI CA (May 02)
- Re: Denial of service attack against tcpdump antirez (May 03)
(Thread continues...)
- pam_console bug Michal Zalewski (May 02)