[14761] in bugtraq
Re: Wemilo
daemon@ATHENA.MIT.EDU (daedalus)
Wed May 3 13:36:56 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-Id: <4.3.1.2.20000502165102.03c9d650@mail.conwin.com>
Date: Tue, 2 May 2000 16:55:33 -0500
Reply-To: daedalus <daedalus@RIPCO.COM>
From: daedalus <daedalus@RIPCO.COM>
X-To: cassius@HUSHMAIL.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200005010541.WAA16974@mail5.hushmail.com>
I have since changed the wemilo password on two installations and
in both cases it did NOT prevent access to the password hashes.
-Bill
At 10:37 PM 4/30/00 -0800, you wrote:
>On every Cart32 installation I have looked at, cart32clientlist will accept
>any string or nothing at all.
>No password is required to view the client list and password hashes.
>
>Does hexing 'wemilo' out of the exe prevent this?
>
>Also, I have seen one site where they edited the HTML of cart32clientlist
>like this:
><input type=password name="xxxxxxx">
>
>This is useless and does not prevent anyone from creating a local copy
>with a full path to cart32.exe and a valid input field like this:
><input type=password name="Cart32Password">
>
>
>-Cassius
>
>
>
> > To: BUGTRAQ@SECURITYFOCUS.COM
> > Subject: Re: Alert: Cart32 secret password backdoor (CISADV000427)
> >
> > Greetings,
> >
> > I have a client using cart32 2.6 so I went to the cart32clientlist url
> > mentioned in the alert and sure enough if dumped the hashed password
> > list. I high-tailed it over there and open up the cart32.exe and was
>unable
> > to find the "wemilo" password anywhere. Now this could be my fault, heck
> > I haven't touched a hex editor in ages, but still it prompted me to go
>back
> > to the clientlist url and try some random charecters instead of "wemilo".
> > Well, it happily dumped the client list again. Just to make sure it wasn't
> > just me I went out on the web and tried it at several sites running cart32
> > (2.6 and 3.0) and all but one case it dumped the client list. The one
> > that didn't show a list DID show the open database messages so I think
> > maybe it just wasn't set up. I may be missing something here but it seems
> > to me you don't have to even know the "backdoor password" to dump the
> > client list and hashes.
> >
> > my 2 cents,
> > -Bill
>
>
>
>IMPORTANT NOTICE: If you are not using HushMail, this message could have
>been read easily by the many people who have access to your open personal
>email messages.
>Get your FREE, totally secure email address at http://www.hushmail.com.
--
/********************************************************************
Bill Borton Remember:
Mailto:daedalus@ripco.com Never use a big word where a
http://pages.ripco.com/~daedalus diminutive one will suffice.
********************************************************************/
