Advisories : Cart32 admin password vulnerability

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : Cart32 admin password vulnerability

Title:	Cart32 admin password vulnerability
Released by:	Cart and Colin Hart
Date:	6th November 2000
Printable version:	Click here

Joint advisory issued by Cart32 and Colin Hart

---------------------------------------

Date Published:

6th November 2000

---------------------------------------

Title:

Cart32 admin password vulnerability

---------------------------------------

Vulnerable Packages/Systems:

Cart32 v3.5 build 619, in the default configuration from a remote

installation. Earlier versions with other installation methods may be

affected

---------------------------------------

Vulnerability Description:

The Cart32 installation creates a file, cart32.ini, which contains the

administrator password in hashed form.

 

The encryption on the password is weak and can easily be broken. At

Cart32's request the algorithm will not be disclosed in this advisory.

 

Also, in some circumstances, the cart32.ini may contain the current and

historical administrative passwords in plaintext in the Debug section

of the file.

---------------------------------------

Solution:

1) Upgrade to version 3.5a build 710, which contains stronger password

encryption and removes the debug issue, as soon as possible. It is

available from http://www.cart32.com/update

 

2) Follow Cart32's advice on how to secure your Cart32 files which is

at http://www.cart32.com/kbshow.asp?article=C050 and includes a

reference to the location of the cart32.ini file. There are other

articles in their knowledge base regarding securing your cart32

installation.

 

You can download a 30-day demo of Cart32 at http://www.cart32.com .

 

For info on previous Cart32 issues see;

http://www.cerberus-infosec.co.uk/advcart32.html

---------------------------------------

About:

Cart32 is a product of McMurtrey/Whitaker & Associates, Inc. which has

been in business since 1989 developing software solutions for clients

worldwide.

support@cart32.com

 

Colin Hart is a UK based, independent consultant specialising in NT

systems, their design, administration and security for small, medium

and large organisations internationally.

---------------------------------------

Thanks:

From Colin Hart to;

Bryan Whitaker for swift action and cooperation.

RFP for RFPolicy

Trey

---------------------------------------

You may copy or redistribute this advisory but only in its entirety.

(c) Colin Hart 2000

 

This advisory was created using RFPolicy 2.0;

http://www.wiretrip.net/rfp/policy.html