ISS X-Force Database: teekais-forum-obtain-information(9286): TeeKai`s Forum could allow a remote attacker to gain sensitive information

TeeKai`s Forum could allow a remote attacker to gain sensitive information

teekais-forum-obtain-information (9286)

Low Risk

Description:

TeeKai's Forum could allow a remote attacker to gain sensitive information. TeeKai's Forum uses a weak encryption to store usage statistics in the /data/member_log.txt file. A remote attacker could send a URL request to access this file to recover user IP addresses, which can then be decrypted.

This vulnerability also affects TeeKai's Tracking Online version 1.0 in the /data/userlog/log.txt file.

Platforms Affected:

Teekai, TeeKai's Forum 1.2
Teekai, TeeKai's Tracking Online 1.0

Remedy:

No remedy available as of July 4, 2009.

Consequences:

Obtain Information

References:

Teekai's Web site, [PHP4 � Forum] at http://www.teekai.info/bluediscs/homepage.php?page=freestuffs&choose=webprogramming&cat=php&item=forum.
Teekai's Web site, [PHP4 � Teekai's Tracking Online] at http://www.teekai.info/bluediscs/homepage.php?page=freestuffs&choose=webprogramming&cat=php&item=tracking.
Vuln-Dev Mailing List, 2002-06-03 19:52:07, Security holes in two Teekai's products + security hole in ncmail.netscape.com at http://marc.theaimsgroup.com/?l=vuln-dev&m=102313697923798&w=2.
BID-4926: Teekai's Forum Weak Visitor IP Address Encryption Vulnerability
CVE-2002-2057: TeeKai Forum 1.2 uses weak encryption of web usage statistics in data/member_log.txt, which is stored under the web document root with insufficient access control, which allows remote attackers to identify IP's visiting the site by dividing each octet by the MD5 hash of '20'.
CVE-2002-2058: TeeKai Tracking Online 1.0 uses weak encryption of web usage statistics in data/userlog/log.txt, which allows remote attackers to identify IP's visiting the site by dividing each octet by the MD5 hash of '20'.

Reported:

Jun 03, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page