The Java version is also vulnerable. The username, password and secret url can be extracted from the param "0" in the html code. I wrote a small program for this purpose a couple of months ago. Password Wizard java sample: http://www.coffeecup.com/java-password/samples/ <applet code="joylock.class" width=342 height=140> <param name="GENERATOR" value="CREATED WITH THE APPLET PASSWORD WIZARD WWW.COFFEECUP.COM"> <param name="GENERAL" value="1|11|004080|FFFFFF|wslzebajkcnrvogpquftxhidmyvttp://aaa.jnsseejrp.jny /ywxxce.vtyc| |Login Complete.|Enter the Username and Password.| | |"> <param name="0" value="6|4|36|0|cftzmapuxnrsjibgwykqvleodhlfegvwcwlczccg://qqq.axbbwwahg.axe /enyyvw.zcev"> </applet> Best regards, Per-Ola Kristiansson ----- Original Message ----- From: "Rynho Zeros Web" <hackargentino@gmx.net> To: <bugtraq@securityfocus.com> Sent: Saturday, March 01, 2003 12:42 AM Subject: Easy obtaining User+Pass+More on CoffeeCup Password Wizard All Versions > + Topic: Easy obtaining User+Pass+More on CoffeeCup Password Wizard All > Versions > > + Product: CoffeeCup Password Wizard All Versions > > + Vendor: CoffeeCup Software, Inc. > > + Site: http://www.coffeecup.com/java-password/ > > + About CoffeeCup Password Wizard: Create unlimited password protected pages > > with unlimited usernames and passwords with CoffeeCup Password Wizard. > You don't even have to know Flash, Java, or HTML ! Customize the look and > feel to match your page. You can even point different users to different > URLs ! Preview within the program or your favorite browser. It's all that > easy ! All this and more make CoffeeCup Password Wizard the easiest way > to password protect your pages ! (¿?) > > + Description: Easy obtaining of names of users, passwords and a URL > of direct access to the preferences of the same one. > > + Exploit: > > go to the login panel, see sourcecode HTML in search of the location > of the file .swf used to make login. > > Example: > > Go to > https://www.victim.com/billing/ > > See sourcecode, > > [...] > ID=billing WIDTH=146 HEIGHT=125> > <PARAM NAME=movie VALUE="billing.swf"> > <PARAM NAME=quality VALUE=high> > [...] > > (https://www.victim.com/billing/billing.swf) > > the file of the passwords is called just as the file of login, but with > the extension .apw > > now, go to & download the file: > https://www.victim.com/billing/billing.apw (APW Is The COFFEECUP Password > Wizard File) > > by I complete it opens east file with any text editor and found all the > users > with its passwords and the URL of direct access to its options. > > Example of passwords file: > > --------- billing.apw ----------- > > COFFEECUP PASSWORD WIZARD FILE > WWW.COFFEECUP.COM > PLEASE DO NOT EDIT!!!! > > MOVIE WIDTH:120 > MOVIE HEIGHT:100 > MOVIE FRAME RATE:0 > MOVIE BK COLOR:$00ECECEC > MOVIE DEFAULT URL: > MOVIE DEFAULT FRAME: > MOVIE SWF NAME:billing.swf > MOVIE SWF PATH:C:\Documents and Settings\vhost\Mis documentos\Mis > Webs\victim.com\new website project\billing\ > MOVIE FONT NAME:MS Sans Serif > MOVIE FONT SIZE:8 > MOVIE FONT COLOR:clBlack > MOVIE TRANSPARENT TRUE > MOVIE VERTICAL TRUE > > USER BOX LEFT:2 > USER BOX TOP:1 > USER BOX WIDTH:116 > USER BOX HEIGHT:34 > USER BOX CAPTION:Username > > PASS BOX LEFT:2 > PASS BOX TOP:36 > PASS BOX WIDTH:116 > PASS BOX HEIGHT:34 > PASS BOX CAPTION:Password > > BUTTON LEFT:15 > BUTTON TOP:78 > BUTTON WIDTH:90 > BUTTON HEIGHT:20 > BUTTON PATH: > BUTTON TX:1 > BUTTON TY:1 > > ADD USER:0anyweb xnet0305 https://www.victim.com/billing/anyweb0001.htm > ADD USER:0anysite xnet2904 https://www.victim.com/billing/anysite0002.htm > [...] > END > > --------- billing.apw ----------- > > Example of user & pass on billing: > > user: anyweb > pass: xnet0305 > url option panel: https://www.victim.com/billing/anyweb0001.htm > > > ---------------------------------------------------------------- > > [EOF] > > ----------------------------------------------- > Credits: ToOcOoL (http://www.valenciahack.com/) > ----------------------------------------------- > > -------------------------------- > Note: sorry by my bad english ;) > -------------------------------- > > -- > XyBØrG > WebMaster de: > www.RZWEB.com.ar > Powered By Dattatec.Com > > +++ GMX - Mail, Messaging & more http://www.gmx.net +++ > Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage! >
Attachment:
passwiz.c
Description: Binary data
