[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Cart32 admin password vulnerability

Title: Cart32 admin password vulnerability
Released by: Cart and Colin Hart
Date: 6th November 2000
Printable version: Click here
Joint advisory issued by Cart32 and Colin Hart


Date Published:

6th November 2000



Cart32 admin password vulnerability


Vulnerable Packages/Systems:

Cart32 v3.5 build 619, in the default configuration from a remote

installation. Earlier versions with other installation methods may be



Vulnerability Description:

The Cart32 installation creates a file, cart32.ini, which contains the

administrator password in hashed form.


The encryption on the password is weak and can easily be broken. At

Cart32's request the algorithm will not be disclosed in this advisory.


Also, in some circumstances, the cart32.ini may contain the current and

historical administrative passwords in plaintext in the Debug section

of the file.



1) Upgrade to version 3.5a build 710, which contains stronger password

encryption and removes the debug issue, as soon as possible. It is

available from http://www.cart32.com/update


2) Follow Cart32's advice on how to secure your Cart32 files which is

at http://www.cart32.com/kbshow.asp?article=C050 and includes a

reference to the location of the cart32.ini file. There are other

articles in their knowledge base regarding securing your cart32



You can download a 30-day demo of Cart32 at http://www.cart32.com .


For info on previous Cart32 issues see;




Cart32 is a product of McMurtrey/Whitaker & Associates, Inc. which has

been in business since 1989 developing software solutions for clients




Colin Hart is a UK based, independent consultant specialising in NT

systems, their design, administration and security for small, medium

and large organisations internationally.



From Colin Hart to;

Bryan Whitaker for swift action and cooperation.

RFP for RFPolicy



You may copy or redistribute this advisory but only in its entirety.

(c) Colin Hart 2000


This advisory was created using RFPolicy 2.0;



(C) 1999-2000 All rights reserved.