Overview
x_news allows a user to authenticate without supplying the user's plaintext password.
Description
x_news is a system for managing news. When a user logs in to x_news version 1.1 using a plaintext password, x_news hashes the password with MD5 and compares it to user's hash stored in the file named "db/users.txt". If they match, x_news sets a cookie that contains the username and the hashed password. On subsequent transactions, x_news will accept this cookie as valid authentication. As a result, an attacker does not need to know a user's plaintext password. All that is needed is the user's MD5-hashed password, which can be found in the db/users.txt file. |
Impact
Attackers can gain access to a user's account by using password data stored in a file, bypassing proper authentication by plaintext password. |
Solution
The CERT/CC is currently unaware of a practical solution to this problem. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to frog frog for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
Other Information
| CVE IDs: | None |
| Severity Metric: | 3.60 |
| Date Public: | 2002-03-12 |
| Date First Published: | 2002-09-16 |
| Date Last Updated: | 2002-12-10 23:10 UTC |
| Document Revision: | 8 |