|
|
|
|
| |
| The Cart32 installation creates a file, cart32.ini, which contains the administrator password in hashed form. |
| |
Credit:
The information has been provided by Colin Hart.
|
| |
Vulnerable systems:
Cart32 v3.5 build 619 and prior
Immune systems:
Cart32 3.5a build 710
The cart32 password 'encryption' is weak and can easily be broken. At Cart32's request, the algorithm will not be disclosed in this advisory.
In addition, in some circumstances, the cart32.ini may contain the current and historical administrative passwords in plaintext in the Debug section of the file.
Solution:
1) Upgrade to version 3.5a build 710, which contains stronger password encryption and removes the debug issue. It is available from http://www.cart32.com/update.
2) Follow Cart32's advice on how to secure your Cart32 files which is at http://www.cart32.com/kbshow.asp?article=C050 and includes a reference to the location of the cart32.ini file. There are other articles in their knowledge base regarding securing your cart32 installation.
|
|
|
|
|
|
|
|
|
|
