Wemilo

[cassius () HUSHMAIL COM (cassius () HUSHMAIL COM)]

On every Cart32 installation I have looked at, cart32clientlist will accept
any string or nothing at all.
No password is required to view the client list and password hashes.

Does hexing 'wemilo' out of the exe prevent this?

Also, I have seen one site where they edited the HTML of cart32clientlist
like this:
<input type=password name="xxxxxxx">

This is useless and does not prevent anyone from creating a local copy
with a full path to cart32.exe and a valid input field like this:
<input type=password name="Cart32Password">

-Cassius

> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: Re: Alert: Cart32 secret password backdoor (CISADV000427)
>
> Greetings,
>
> I have a client using cart32 2.6 so I went to the cart32clientlist url
> mentioned in the alert and sure enough if dumped the hashed password
> list.  I high-tailed it over there and open up the cart32.exe and was
unable
> to find the "wemilo" password anywhere.  Now this could be my fault, heck
> I haven't touched a hex editor in ages, but still it prompted me to go
back
> to the clientlist url and try some random charecters instead of "wemilo".
> Well, it happily dumped the client list again.  Just to make sure it wasn't
> just me I went out on the web and tried it at several sites running cart32
> (2.6 and 3.0) and all but one case it dumped the client list.  The one
> that didn't show a list DID show the open database messages so I think
> maybe it just wasn't set up.  I may be missing something here but it seems
> to me you don't have to even know the "backdoor password" to dump the
> client list and hashes.
>
> my 2 cents,
> -Bill

IMPORTANT NOTICE:  If you are not using HushMail, this message could have been read easily by the many people who have 
access to your open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.