The Java version is also vulnerable. The username, password and secret url
can be extracted from the param "0" in the html code. I wrote a small
program for this purpose a couple of months ago.
<applet code="joylock.class" width=342 height=140>
<param name="GENERATOR" value="CREATED WITH THE APPLET PASSWORD WIZARD
WWW.COFFEECUP.COM">
<param name="GENERAL"
value="1|11|004080|FFFFFF|wslzebajkcnrvogpquftxhidmyvttp://aaa.jnsseejrp
.jny
/ywxxce.vtyc| |Login Complete.|Enter the Username and Password.| | |">
<param name="0"
value="6|4|36|0|cftzmapuxnrsjibgwykqvleodhlfegvwcwlczccg://qqq.axbbwwahg
.axe
/enyyvw.zcev">
</applet>
Best regards,
Per-Ola Kristiansson
----- Original Message -----
From: "Rynho Zeros Web" <hackargentino (at) gmx (dot) net [email concealed]>
To: <bugtraq (at) securityfocus (dot) com [email concealed]>
Sent: Saturday, March 01, 2003 12:42 AM
Subject: Easy obtaining User+Pass+More on CoffeeCup Password Wizard All
Versions
> + Topic: Easy obtaining User+Pass+More on CoffeeCup Password Wizard All
> Versions
>
> + Product: CoffeeCup Password Wizard All Versions
>
> + Vendor: CoffeeCup Software, Inc.
>
> + Site: http://www.coffeecup.com/java-password/
>
> + About CoffeeCup Password Wizard: Create unlimited password protected
pages
>
> with unlimited usernames and passwords with CoffeeCup Password Wizard.
> You don't even have to know Flash, Java, or HTML ! Customize the look and
> feel to match your page. You can even point different users to different
> URLs ! Preview within the program or your favorite browser. It's all that
> easy ! All this and more make CoffeeCup Password Wizard the easiest way
> to password protect your pages ! (¿?)
>
> + Description: Easy obtaining of names of users, passwords and a URL
> of direct access to the preferences of the same one.
>
> + Exploit:
>
> go to the login panel, see sourcecode HTML in search of the location
> of the file .swf used to make login.
>
> Example:
>
> Go to
> https://www.victim.com/billing/
>
> See sourcecode,
>
> [...]
> ID=billing WIDTH=146 HEIGHT=125>
> <PARAM NAME=movie VALUE="billing.swf">
> <PARAM NAME=quality VALUE=high>
> [...]
>
> (https://www.victim.com/billing/billing.swf)
>
> the file of the passwords is called just as the file of login, but with
> the extension .apw
>
> now, go to & download the file:
> https://www.victim.com/billing/billing.apw (APW Is The COFFEECUP Password
> Wizard File)
>
> by I complete it opens east file with any text editor and found all the
> users
> with its passwords and the URL of direct access to its options.
>
> Example of passwords file:
>
> --------- billing.apw -----------
>
> COFFEECUP PASSWORD WIZARD FILE
> WWW.COFFEECUP.COM
> PLEASE DO NOT EDIT!!!!
>
> MOVIE WIDTH:120
> MOVIE HEIGHT:100
> MOVIE FRAME RATE:0
> MOVIE BK COLOR:$00ECECEC
> MOVIE DEFAULT URL:
> MOVIE DEFAULT FRAME:
> MOVIE SWF NAME:billing.swf
> MOVIE SWF PATH:C:\Documents and Settings\vhost\Mis documentos\Mis
> Webs\victim.com\new website project\billing> MOVIE FONT NAME:MS Sans Serif
> MOVIE FONT SIZE:8
> MOVIE FONT COLOR:clBlack
> MOVIE TRANSPARENT TRUE
> MOVIE VERTICAL TRUE
>
> USER BOX LEFT:2
> USER BOX TOP:1
> USER BOX WIDTH:116
> USER BOX HEIGHT:34
> USER BOX CAPTION:Username
>
> PASS BOX LEFT:2
> PASS BOX TOP:36
> PASS BOX WIDTH:116
> PASS BOX HEIGHT:34
> PASS BOX CAPTION:Password
>
> BUTTON LEFT:15
> BUTTON TOP:78
> BUTTON WIDTH:90
> BUTTON HEIGHT:20
> BUTTON PATH:
> BUTTON TX:1
> BUTTON TY:1
>
> ADD USER:0anyweb xnet0305 https://www.victim.com/billing/anyweb0001.htm
> ADD USER:0anysite xnet2904 https://www.victim.com/billing/anysite0002.htm
> [...]
> END
>
> --------- billing.apw -----------
>
> Example of user & pass on billing:
>
> user: anyweb
> pass: xnet0305
> url option panel: https://www.victim.com/billing/anyweb0001.htm
>
>
> ----------------------------------------------------------------
>
> [EOF]
>
> -----------------------------------------------
> Credits: ToOcOoL (http://www.valenciahack.com/)
> -----------------------------------------------
>
> --------------------------------
> Note: sorry by my bad english ;)
> --------------------------------
>
> --
> XyBØrG
> WebMaster de:
> www.RZWEB.com.ar
> Powered By Dattatec.Com
>
> +++ GMX - Mail, Messaging & more http://www.gmx.net +++
> Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
>
can be extracted from the param "0" in the html code. I wrote a small
program for this purpose a couple of months ago.
Password Wizard java sample: http://www.coffeecup.com/java-password/samples/
<applet code="joylock.class" width=342 height=140>
<param name="GENERATOR" value="CREATED WITH THE APPLET PASSWORD WIZARD
WWW.COFFEECUP.COM">
<param name="GENERAL"
value="1|11|004080|FFFFFF|wslzebajkcnrvogpquftxhidmyvttp://aaa.jnsseejrp
.jny
/ywxxce.vtyc| |Login Complete.|Enter the Username and Password.| | |">
<param name="0"
value="6|4|36|0|cftzmapuxnrsjibgwykqvleodhlfegvwcwlczccg://qqq.axbbwwahg
.axe
/enyyvw.zcev">
</applet>
Best regards,
Per-Ola Kristiansson
----- Original Message -----
From: "Rynho Zeros Web" <hackargentino (at) gmx (dot) net [email concealed]>
To: <bugtraq (at) securityfocus (dot) com [email concealed]>
Sent: Saturday, March 01, 2003 12:42 AM
Subject: Easy obtaining User+Pass+More on CoffeeCup Password Wizard All
Versions
> + Topic: Easy obtaining User+Pass+More on CoffeeCup Password Wizard All
> Versions
>
> + Product: CoffeeCup Password Wizard All Versions
>
> + Vendor: CoffeeCup Software, Inc.
>
> + Site: http://www.coffeecup.com/java-password/
>
> + About CoffeeCup Password Wizard: Create unlimited password protected
pages
>
> with unlimited usernames and passwords with CoffeeCup Password Wizard.
> You don't even have to know Flash, Java, or HTML ! Customize the look and
> feel to match your page. You can even point different users to different
> URLs ! Preview within the program or your favorite browser. It's all that
> easy ! All this and more make CoffeeCup Password Wizard the easiest way
> to password protect your pages ! (¿?)
>
> + Description: Easy obtaining of names of users, passwords and a URL
> of direct access to the preferences of the same one.
>
> + Exploit:
>
> go to the login panel, see sourcecode HTML in search of the location
> of the file .swf used to make login.
>
> Example:
>
> Go to
> https://www.victim.com/billing/
>
> See sourcecode,
>
> [...]
> ID=billing WIDTH=146 HEIGHT=125>
> <PARAM NAME=movie VALUE="billing.swf">
> <PARAM NAME=quality VALUE=high>
> [...]
>
> (https://www.victim.com/billing/billing.swf)
>
> the file of the passwords is called just as the file of login, but with
> the extension .apw
>
> now, go to & download the file:
> https://www.victim.com/billing/billing.apw (APW Is The COFFEECUP Password
> Wizard File)
>
> by I complete it opens east file with any text editor and found all the
> users
> with its passwords and the URL of direct access to its options.
>
> Example of passwords file:
>
> --------- billing.apw -----------
>
> COFFEECUP PASSWORD WIZARD FILE
> WWW.COFFEECUP.COM
> PLEASE DO NOT EDIT!!!!
>
> MOVIE WIDTH:120
> MOVIE HEIGHT:100
> MOVIE FRAME RATE:0
> MOVIE BK COLOR:$00ECECEC
> MOVIE DEFAULT URL:
> MOVIE DEFAULT FRAME:
> MOVIE SWF NAME:billing.swf
> MOVIE SWF PATH:C:\Documents and Settings\vhost\Mis documentos\Mis
> Webs\victim.com\new website project\billing> MOVIE FONT NAME:MS Sans Serif
> MOVIE FONT SIZE:8
> MOVIE FONT COLOR:clBlack
> MOVIE TRANSPARENT TRUE
> MOVIE VERTICAL TRUE
>
> USER BOX LEFT:2
> USER BOX TOP:1
> USER BOX WIDTH:116
> USER BOX HEIGHT:34
> USER BOX CAPTION:Username
>
> PASS BOX LEFT:2
> PASS BOX TOP:36
> PASS BOX WIDTH:116
> PASS BOX HEIGHT:34
> PASS BOX CAPTION:Password
>
> BUTTON LEFT:15
> BUTTON TOP:78
> BUTTON WIDTH:90
> BUTTON HEIGHT:20
> BUTTON PATH:
> BUTTON TX:1
> BUTTON TY:1
>
> ADD USER:0anyweb xnet0305 https://www.victim.com/billing/anyweb0001.htm
> ADD USER:0anysite xnet2904 https://www.victim.com/billing/anysite0002.htm
> [...]
> END
>
> --------- billing.apw -----------
>
> Example of user & pass on billing:
>
> user: anyweb
> pass: xnet0305
> url option panel: https://www.victim.com/billing/anyweb0001.htm
>
>
> ----------------------------------------------------------------
>
> [EOF]
>
> -----------------------------------------------
> Credits: ToOcOoL (http://www.valenciahack.com/)
> -----------------------------------------------
>
> --------------------------------
> Note: sorry by my bad english ;)
> --------------------------------
>
> --
> XyBØrG
> WebMaster de:
> www.RZWEB.com.ar
> Powered By Dattatec.Com
>
> +++ GMX - Mail, Messaging & more http://www.gmx.net +++
> Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
>
[ reply ]