Owl Intranet Engine: Information Disclosure and Unsalted Password Hashes
The Owl Intranet Engine uses no salting in the password hashing procedure. Furthermore, users in the "Administrators" group are able to see the MD5 password hashes of every user using the web interface.
Product: Owl Intranet Engine
Affected Versions: 1.01, possibly all older versions
Fixed Versions: none
Vulnerability Type: Information Disclosure, Unsalted Password Hashes
Security Risk: low
Vendor URL: http://owl.anytimecomm.com
Vendor Status: decided not to fix
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-006
Advisory Status: published
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
"Owl is a multi user document repository (knowledge base) system written in PHP for publishing files/documents onto the web for a corporation, small business, group of people, or just for yourself."
(From the vendor's homepage)
The administrative interface of the Owl Intranet Engine allows users in the "Administrators" group to edit user accounts over the "Users&Groups" tab. If a user is selected for editing, all account information is shown. In this overview, the password field is filled with the MD5 hash value of the old user password, as can be seen in the HTML sources. This allows users with administrative access to the Owl Intranet Engine to see the password hashes of every user.
Furthermore, no salting is used when the password hashes are generated, allowing a rainbow tables attack against user passwords.
This vulnerability allows administrative users to collect the MD5 password hashes of every user of the affected Owl Intranet Engine system through the administrative interface. Because no salting is employed, a rainbow tables attack can be run against the collected password hashes and the password values can possibly be recovered in a short time. The risk potential is however deemed to be low, as users with administrative access to the OWL Intranet Engine already have extensive access rights.
2011-05-29 Vulnerability identified
2011-07-26 Customer approved disclosure to vendor
2011-10-31 Vendor notified
2011-11-30 Vendor releases new version that does not fix the issue
2011-12-15 Advisory released
RedTeam Pentesting GmbH
RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.
More information about RedTeam Pentesting can be found at http://www.redteam-pentesting.de.