-----BEGIN PGP SIGNED MESSAGE----- Hash: MD5 - --[ Webserver 4D v3.6 Weak Password Preservation Vulnerability ]-- - --[ Type Design Error - --[ Release Date September 25, 2002 - --[ Product / Vendor Webserver 4D by MDG Computer Services, Inc. is an complete Web Server environment written entirely on top of 4th Dimension, a very powerful relational database for Machintosh and Windows NT. Running on top a database means your server can detect if someone is a new user, how many times a page has been accessed and much more. Web Server 4D currently has three optional modules that are built-in to every copy of Web Server 4D. The three modules are: - - WS4D/eCommerce - - WS4D/SSL - - WS4D/Email-Search http://www.mdg.com - --[ Summary WS4D webserver saves the passwords somewhere insecure. in WS4D "Ws4d.4DD" (C:\Program Files\MDG\Web Server 4D 3.6.0\Ws4d.4DD) file can be opened any text editor and the usernames and the passwords can be view clearly. The passwords, usernames, and the modules that these depend on; Storefronts Passwords (eCommerce Module): StoreFronts is the area in WS4D/eCommerce that identifies each storefront. Credit Card processing. Shipping Information, Address, Phone, passwords and other information are collected for each storefront. WS4D Web Server Authentication Mechanism: Web Server 4D supports basic HTTP Authentication. Which supports realms, users and groups. When security is acticated for a realm, a dialog box will be presented to client asking for a valid name and password. After a valid name and password is entered, the requested page will be displayed. Console Password (Hide Menus): The Hide Menus option will hide all the WS4D menus until the Show Menus option is selected. This feature is useful for co-located WS4D servers or if you require additional security at the console for your server. Since, all the menus are hidden, all WS4D settings and databases will be hidden/protected. Database Administrator Password: Web Server 4D has the ability to publish unlimited databases with ease. WS4D intruces a new way to publish unlimited databases on the web, via HTML. Setup of the database, specifying fields to use, which forms to use, which fields are required are all defined in HTML hidden fields. - --[ Tested Webserver 4D 3.6 / Windows 2000 sp3 - --[ Vulnerable Webserver 4D 3.6 / Windows 2000 sp3 - --[ Disclaimer http://www.securityoffice.net is not responsible for the misuse or illegal use of any of the information and/or the software listed on this security advisory. - --[ Author Tamer Sahin ts@securityoffice.net http://www.securityoffice.net All our advisories can be viewed at http://www.securityoffice.net/articles/ Please send suggestions, updates, and comments to feedback@securityoffice.net (c) 2002 SecurityOffice This Security Advisory may be reproduced and distributed, provided that this Security Advisory is not modified in any way and is attributed to SecurityOffice and provided that such reproduction and distribution is performed for non-commercial purposes. Tamer Sahin http://www.securityoffice.net -----BEGIN PGP SIGNATURE----- Version: 2.6 iQEVAwUAPaSUnPpL5ibJRTtBAQHtQAf+PmHkLBGFJHk/PpakwlJ5dAHJ6UUMsghv IMxroxwF39WlMAN+l1hSEtlLnDgFRv0iY+wtqFcUu6ZzItX0oq+L4YbL6sE2MSmo qc14fwG+Fh45ZxRJHkPEhSx75yidLL0azEeywAXae+iSYPeQigLlWPIeh3U5GQLu DfxXQPrijbftl0Y+inxQYqKqtx4gRESE1ec8k10+XmKyB250gMhedccu7briTAZo u6y7QpCxeVUz4r9mir/iJONp/O1Hvu9Sgy+ijhZyQl/dgtEpuWwUN3Gv4Jec8lZJ TEPLzdZFPR6zj6ViCjpRQS7Zj3BOw3G3PjGw8RF9UhX5TXfUWAuSPw== =6F7x -----END PGP SIGNATURE-----
