Ye, I found a lot of stuff about clearing down that file if you forget
your admin password.
Talking to a regular contribute user, the file is used by contribute
once it has connected using separately entered ftp/sftp details so
having access to that password doesn't necessarily give you access to
anything. What worries me about it is the number of people who use a
single password for everything. What's the betting that on some sites
the contribute admin password is the same as the ftp/sftp one.
I'm going to setup apache to block these directories, a nice touch by
Macromedia would have been to ask if you were using apache and putting a
htaccess file with "deny all" in it in the directory.
Robin
On Thu, 2005-09-15 at 02:30 -0400, Michael Acadia wrote:
I'm not very familiar with Contribute so I hesitate to guess at how big
a security problem this is, but it certainly doesn't seem like "a good
thing."
From what I've found on the Macromedia site (such as
http://livedocs.macromedia.com/dreamweaver/mx2004/using/07_cont8.htm ),
Contribute needs to be able to access that file in order to work
properly in a managed setup.
The PDF 'Deploying Contribute' (
http://www.macromedia.com/devnet/contribute/articles/deploying_contrib_guide1/deploying_contrib_guide1.pdf
) makes for interesting reading. Macromedia assumes that the server
admin will take responsibility for hiding/preventing public access to
these files. I like the assertion that "most search engines and
automated programs are designed not to return pages found in folders
whose names begin with an underscore" (p.6). Seems they forgot about
Google :)
-michael
Mailing List wrote:
I've found something worse, a file called contribute.xml which contains
a password. I'm going to have a look to see if I can find out how the
password is stored and if it can be decrypted/broken in some way.
here is an example of the bit of the file I'm interested in:
<macromedia_dreamweaver_hub write_vers_major="3" read_vers_major="4"
read_vers_minor="0">
<site_name value="my clients site"/>
<revision_history_levels value="3"/>
<admin_password value="8FB744BAAA1F1BBBE8CDACCCAECDDD2F"/>
<admin_e_mail2 value="676F7AAA6F6E4BBB77616E6EBBBD6F72CCC6E2E63DDDD"/>
A quick google for
inurl:contribute.xml
shows lots of these files around, I can't have just found a massive
security failing can I? I must be missing something somewhere.
Robin
On Mon, 2005-09-12 at 10:14 -0700, michael acadia wrote:
You should also look for any folders named _mmServerScripts. The scripts
in this folder are used by Dreamweaver to support database connections
during development and should be removed from production sites.
See http://www.macromedia.com/go/tn_19214
-Michael
-------- Original Message --------
Subject: RE: security of _notes dirs
From: "Griffiths, Ian" <Ian.Griffiths@liv-coll.ac.uk>
Date: Mon, September 12, 2005 10:44 am
To: "webapp" <webappsec@securityfocus.com>
If its written by humans then yes of course, passwords, clues about file
structure, girlfriends phone number, whatever.
-----Original Message-----
From: Mailing List [mailto:maillist@freedomsoftware.co.uk]
Sent: 12 September 2005 10:55
To: webapp
Subject: security of _notes dirs
Hi
I've been looking through a site and found a load of _notes directories
containing .mno files. I know that these are created by dreamweaver and
can contain design notes.
None of the files I've found in the directories on this server have
contained anything that could affect security but is there the potential
for them to contain interesting security info?
Robin
