Clear text password vulnerability found in 12Planet Chat Server 2.5 http://www.12planet.com Discovered by Dennis Rand ------------------------------------------------------------------------ -----[SUMMARY 12Planet Chat Server provides advanced chat functionalities aiming to offer discussion space for customers, partners and visitors. It addresses the demand from all web sites and intranet/extranet portals willing to offer "sticky" services to their visitors as well as secure and reliable real-time communication to their customers. Its moderation option enables businesses to organize online chat c conferences by inviting celebrities, experts to talk with visitors and moderate visitor questions through a moderation process. When starting the Administration site of the Chat Server the login and password is sent over the net in clear text. -----[AFFECTED SYSTEMS Vulnerable systems: * 12Planet Chat Server 2.5 Immune systems: * -----[SEVERITY Low/Medium - An attacker is able to put a network sniffer on the network and sniff the username and password, because it is sent in a clear text form. -----[DESCRIPTION OF WHAT THE VULNERABILITY IS When sending Administrator password on the login page the password is send in clear text. The same problem is when you enter expert mode to change the administrator password it will again be send in clear text. The following transcript demonstrates a sample exploitation of the vulnerabilities: ------------------------------------------------------------------- [Used Ethereal to sniff the traffic between the host and server] LOGIN PAGE: Here is the capture of the first line of defense from the 12Planet Chat server: ---------------------------- CUT HERE ---------------------------------------- POST /servlet/one2planet.infolet.InfoServlet HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Referer: http://193.88.206.253:8080/servlet/one2planet.infolet.InfoServlet? page=one2planet.community.core.PHLogin&technology=html&domain=default& language=english&url=%40HTTP%3A%2F%2F193.88.206.253%3A8080%2Fservlet%2 Fone2planet.infolet.InfoServlet%3Fpage%3Done2planet.tools.PSDynPage%21 template%3D%2F12p_template%2Fwww%2Fapps%2Fchatserver%2Fwizard%2Findex.html Accept-Language: da Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: 193.88.206.253:8080 Content-Length: 292 Connection: Keep-Alive Cache-Control: no-cache Cookie: SESSIONID=To1010mC7187873103878648At page=one2planet.community.core.PHLogin&table=user&url=@HTTP%3A%2F%2F %3A8080%2Fservlet%2Fone2planet.infolet.InfoServlet%3Fpage%3Done2planet.tools.PSDynPage%21 template%3D%2F12p_template%2Fwww%2Fapps%2Fchatserver%2Fwizard%2Findex.html& vserver=&username=administrator&passwd=manager ---------------------------- CUT HERE ---------------------------------------- ADMINISTRATION PAGE Now if the administrator wants to change the password from the default one. He or She enters the expert mode, from with in here it is possible to change the password, but again the password is send in clear text.' ---------------------------- CUT HERE ---------------------------------------- page=one2planet.community.core.PHChangePassword&nickname=administrator& psswd0=manager&psswd1=MYSecretPassWord&psswd2=MYSecretPassWord&submit3=OK HTTP/1.0 200 OK ---------------------------- CUT HERE ---------------------------------------- -------------------------------------------------------------------- -----[DETECTION 12Planet Chat Server 2.5 is vulnerable to the above-described attacks. Earlier versions may be susceptible as well. To determine if a specific implementation is vulnerable, experiment by following the above transcript. -----[WORK AROUNDS As The vendor writes they recommend their customers to add a HTTPS layer (through Apache Proxy feature for example) to the administration console for the deployment of production servers -----[VENDOR RESPONSE Thank you for the bug report. We are currently analyzing the issues and will keep you updated on the progress. We recommend our customers to add a HTTPS layer (through Apache Proxy feature for example) to the administration console for the deployment of production servers, this to solve the second issue you listed. 12Planet will provide assistance to all the customers that are interested in the patch (email to : support@12planet.com) Best regards, Lei 12Planet -----[DISCLOSURE TIMELINE 24/02/2003 Found the Vulnerability. 25/02/2003 Reported to iDEFENSE 31/03/2003 Received rejection from iDEFENSE 01/04/2003 Reported to 12Planet (support@12planet.com; bugs@12planet.com; sales@12planet.com; features@12planet.com) 01/04/2003 Received response from 12Planet 11/04/2003 Public Disclosure. -----[ADDITIONAL INFORMATION The vulnerability was discovered by Dennis Rand -----[DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.