Re: security of _notes dirs

I looked for a pattern in the password field and not all are the same
length so there are either different version out there or some users
have set things up differently.

Robin

On Thu, 2005-09-15 at 10:57 +0200, Greg wrote:
> Hi,
>
> Le Mercredi 14 Septembre 2005 18:21, Mailing List a écrit :
> > I've found something worse, a file called contribute.xml which contains
> > a password. I'm going to have a look to see if I can find out how the
> > password is stored and if it can be decrypted/broken in some way.
>
> For the obvious part, all the "passwords" are 32 characters long, so chances 
> that they are MD5 hashes are great. Then, for the email value it's just the 
> hex-encoded value of the real email. This perl one-liner will give you the 
> real mail :
>
> perl -e '$ARGV[0] =~ s/(..)/pack "H2", $1/ge; print "${ARGV[0]}\n";' hex_email
>
> For the password hash, a lookup in an online md5 hash database shows up 
> results for some of them.
>
> > A quick google for
> >
> > inurl:contribute.xml
> >
> > shows lots of these files around, I can't have just found a massive
> > security failing can I? I must be missing something somewhere.
>
> I'm not familiar with Macromedia Contribute, so I don't know if this file 
> must 
> be present on the production server, and how much you can mess the site up if 
> you have the password. Maybe someone else on the list ?
>
> And one last thing : this is not a security flaw in Macromedia Contribute, 
> but 
> a malpractice from the webmasters. If they read the doc and learn how to 
> write a 3 lines .htaccess, they wouldn't have this information exposed.
>
> Greg