Re: security of _notes dirs

[Greg <kamago () free fr>]

Hi,

Le Mercredi 14 Septembre 2005 18:21, Mailing List a écrit :
> I've found something worse, a file called contribute.xml which contains
> a password. I'm going to have a look to see if I can find out how the
> password is stored and if it can be decrypted/broken in some way.

For the obvious part, all the "passwords" are 32 characters long, so chances 
that they are MD5 hashes are great. Then, for the email value it's just the 
hex-encoded value of the real email. This perl one-liner will give you the 
real mail :

perl -e '$ARGV[0] =~ s/(..)/pack "H2", $1/ge; print "${ARGV[0]}\n";' hex_email

For the password hash, a lookup in an online md5 hash database shows up 
results for some of them.

> A quick google for
>
> inurl:contribute.xml
>
> shows lots of these files around, I can't have just found a massive
> security failing can I? I must be missing something somewhere.

I'm not familiar with Macromedia Contribute, so I don't know if this file must 
be present on the production server, and how much you can mess the site up if 
you have the password. Maybe someone else on the list ?

And one last thing : this is not a security flaw in Macromedia Contribute, but 
a malpractice from the webmasters. If they read the doc and learn how to 
write a 3 lines .htaccess, they wouldn't have this information exposed.

Greg