x_news allows a user to authenticate without supplying the user's plaintext password.
x_news is a system for managing news. When a user logs in to x_news version 1.1 using a plaintext password, x_news hashes the password with MD5 and compares it to user's hash stored in the file named "db/users.txt". If they match, x_news sets a cookie that contains the username and the hashed password. On subsequent transactions, x_news will accept this cookie as valid authentication.
As a result, an attacker does not need to know a user's plaintext password. All that is needed is the user's MD5-hashed password, which can be found in the db/users.txt file.
Attackers can gain access to a user's account by using password data stored in a file, bypassing proper authentication by plaintext password.
The CERT/CC is currently unaware of a practical solution to this problem.
Thanks to frog frog for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
|Date First Published:||2002-09-16|
|Date Last Updated:||2002-12-10 23:10 UTC|