Advisory: Owl Intranet Engine: Information Disclosure and Unsalted Password Hashes

The Owl Intranet Engine uses no salting in the password hashing
procedure. Furthermore, users in the "Administrators" group are able to
see the MD5 password hashes of every user using the web interface.


Details
=======

Product: Owl Intranet Engine
Affected Versions: 1.01, possibly all older versions
Fixed Versions: none
Vulnerability Type: Information Disclosure, Unsalted Password Hashes
Security Risk: low
Vendor URL: http://owl.anytimecomm.com
Vendor Status: decided not to fix
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2011-006
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction
============

"Owl is a multi user document repository (knowledge base) system written
in PHP for publishing files/documents onto the web for a corporation,
small business, group of people, or just for yourself."

(From the vendor's homepage)


More Details
============

The administrative interface of the Owl Intranet Engine allows users in
the "Administrators" group to edit user accounts over the "Users&Groups"
tab. If a user is selected for editing, all account information is
shown. In this overview, the password field is filled with the MD5 hash
value of the old user password, as can be seen in the HTML sources.
This allows users with administrative access to the Owl Intranet Engine
to see the password hashes of every user. 

Furthermore, no salting is used when the password hashes are generated,
allowing a rainbow tables attack against user passwords.


Fix
===

None.


Security Risk
=============

This vulnerability allows administrative users to collect the MD5
password hashes of every user of the affected Owl Intranet Engine system
through the administrative interface. Because no salting is employed, a
rainbow tables attack can be run against the collected password hashes
and the password values can possibly be recovered in a short time. The
risk potential is however deemed to be low, as users with administrative
access to the OWL Intranet Engine already have extensive access rights.


History
=======

2011-05-29 Vulnerability identified
2011-07-26 Customer approved disclosure to vendor
2011-10-31 Vendor notified
2011-11-30 Vendor releases new version that does not fix the issue
2011-12-15 Advisory released


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
http://www.redteam-pentesting.de.