Webserver 4D v3.6 Weak Password Preservation Vulnerability

Type

Design Error

Release Date

September 25, 2002

Product / Vendor

Webserver 4D by MDG Computer Services, Inc. is an complete Web Server environment written entirely on top of 4th Dimension, a very powerful relational database for Machintosh and Windows NT. Running on top a database means your server can detect if someone is a new user, how many times a page has been accessed and much more.

Web Server 4D currently has three optional modules that are built-in to every copy of Web Server 4D.

The three modules are:

- WS4D/eCommerce
- WS4D/SSL
- WS4D/Email-Search

http://www.mdg.com

Summary

WS4D webserver saves the passwords somewhere insecure. in WS4D "Ws4d.4DD" (C:\Program Files\MDG\Web Server 4D 3.6.0\Ws4d.4DD) file can be opened any text editor and the usernames and the passwords can be view clearly.

The passwords, usernames, and the modules that these depend on;

Storefronts Passwords (eCommerce Module):

StoreFronts is the area in WS4D/eCommerce that identifies each storefront. Credit Card processing. Shipping Information, Address, Phone, passwords and other information are collected for each storefront.

WS4D Web Server Authentication Mechanism:

Web Server 4D supports basic HTTP Authentication. Which supports realms, users and groups. When security is acticated for a realm, a dialog box will be presented to client asking for a valid name and password. After a valid name and password is entered, the requested page will be displayed.

Console Password (Hide Menus):

The Hide Menus option will hide all the WS4D menus until the Show Menus option is selected. This feature is useful for co-located WS4D servers or if you require additional security at the console for your server. Since, all the menus are hidden, all WS4D settings and databases will be hidden/protected.

Database Administrator Password:

Web Server 4D has the ability to publish unlimited databases with ease. WS4D intruces a new way to publish unlimited databases on the web, via HTML. Setup of the database, specifying fields to use, which forms to use, which fields are required are all defined in HTML hidden fields.

Tested

Webserver 4D 3.6 / Windows 2000 sp3

Vulnerable

Webserver 4D 3.6 / Windows 2000 sp3

Disclaimer

http://www.securityoffice.net is not responsible for the misuse or illegal use of any of the information and/or the software listed on this security advisory.

Author

Tamer Sahin
ts(at)securityoffice.net
http://www.securityoffice.net