[VulnWatch] [SecurityOffice] Webserver 4D v3.6 Weak Password Preservation Vulnerability

From: Tamer Sahin (ts@securityoffice.net)
Date: 09/25/02

Date: Wed, 25 Sep 2002 21:32:25 +0300
From: Tamer Sahin <ts@securityoffice.net>
To: vulnwatch@vulnwatch.org


- --[ Webserver 4D v3.6 Weak Password Preservation Vulnerability ]--

- --[ Type

Design Error

- --[ Release Date

September 25, 2002

- --[ Product / Vendor

Webserver 4D by MDG Computer Services, Inc. is an complete Web Server
environment written entirely on top of 4th Dimension, a very powerful relational
database for Machintosh and Windows NT. Running on top a database means
your server can detect if someone is a new user, how many times a page has
been accessed and much more.

Web Server 4D currently has three optional modules that are built-in to every
copy of Web Server 4D.

The three modules are:

- - WS4D/eCommerce
- - WS4D/SSL
- - WS4D/Email-Search


- --[ Summary

WS4D webserver saves the passwords somewhere insecure. in WS4D "Ws4d.4DD"
(C:\Program Files\MDG\Web Server 4D 3.6.0\Ws4d.4DD) file can be opened any
text editor and the usernames and the passwords can be view clearly.

The passwords, usernames, and the modules that these depend on;

Storefronts Passwords (eCommerce Module):

StoreFronts is the area in WS4D/eCommerce that identifies each storefront. Credit Card
processing. Shipping Information, Address, Phone, passwords and other information are
collected for each storefront.

WS4D Web Server Authentication Mechanism:

Web Server 4D supports basic HTTP Authentication. Which supports realms, users and
groups. When security is acticated for a realm, a dialog box will be presented to client
asking for a valid name and password. After a valid name and password is entered, the
requested page will be displayed.

Console Password (Hide Menus):

The Hide Menus option will hide all the WS4D menus until the Show Menus option is
selected. This feature is useful for co-located WS4D servers or if you require additional
security at the console for your server. Since, all the menus are hidden, all WS4D settings
and databases will be hidden/protected.

Database Administrator Password:

Web Server 4D has the ability to publish unlimited databases with ease. WS4D intruces a
new way to publish unlimited databases on the web, via HTML. Setup of the database,
specifying fields to use, which forms to use, which fields are required are all defined in HTML
hidden fields.

- --[ Tested

Webserver 4D 3.6 / Windows 2000 sp3

- --[ Vulnerable

Webserver 4D 3.6 / Windows 2000 sp3

- --[ Disclaimer

http://www.securityoffice.net is not responsible for the misuse or illegal use of any of the
information and/or the software listed on this security advisory.

- --[ Author

Tamer Sahin

All our advisories can be viewed at http://www.securityoffice.net/articles/

Please send suggestions, updates, and comments to feedback@securityoffice.net

(c) 2002 SecurityOffice

This Security Advisory may be reproduced and distributed, provided that this Security
Advisory is not modified in any way and is attributed to SecurityOffice and provided that
such reproduction and distribution is performed for non-commercial purposes.

Tamer Sahin

Version: 2.6.3i
Charset: noconv