(hhp) DBMan advisory. (hhp) hhp-ADV#10 by: loophole hhp@hhp.perlx.com 11/9/99 6:32:57pm CST. --------------------------------------------------------------------- Alright, to my knowledge, there is a problem with a peice of software named 'DBMan'. You can download this software at URL: http://dreamcatchersweb.com/scripts/ The problem is based on default file/directory permissions via bad instalation steps. The following text comes from the readme file in the software at step 2.: >You should find the following files in the archive and they >should have the following permissions > >db.cgi (755) -rwxr--r-- >html.pl (644) -rw-r--r-- >auth.pl (644) -rw-r--r-- >default.cfg (644) -rw-r--r-- >default.pass (666) -rw-rw-rw- >default.count (666) -rw-rw-rw- >default.log (666) -rw-rw-rw- >default.db (666) -rw-rw-rw >auth (777) drwxrwxrwx >README.txt (644) -rw-r--r-- A big problem is in defualt.pass which contains crypt(3) passwords that can easily be cracked via 'john the ripper' or other standard DES password crackers. Which then the cracker could access db.cgi and change/delete the database, passwords, or anything he choses. I think the easiest way to fix this, is for the software programmers to touch up on the security side of thier software and to change the default permissions in the readme file(There is no need for world readable access to the user password file). -hhp-2t0-------------------------------------------------------------