Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: e-commerce, shopping carts :: cart322.htm

Cart32 v3.5 build 619 weak admin password encryption, in ini file



    Cart32 v3.5 build 619


    Colin Hart found following.  Cart32 v3.5 build 619, in the default
    configuration from a remote  installation.  Earlier versions  with
    other installation methods may be affected.

    The Cart32 installation creates a file, cart32.ini, which contains
    the administrator password in hashed form.  The encryption on  the
    password is weak  and can easily  be broken.   At Cart32's request
    the algorithm will not be disclosed in this advisory.

    Also,  in  some  circumstances,  the  cart32.ini  may  contain the
    current and  historical administrative  passwords in  plaintext in
    the Debug section of the file.


    1) Upgrade  to  version  3.5a  build 710, which contains  stronger
       password encryption  and removes  the debug  issue, as  soon as
       possible.  It is available from
    2) Follow Cart32's advice on how to secure your Cart32 files which
       is   at   and
       includes a reference  to the location  of the cart32.ini  file.
       There  are  other  articles  in  their knowledge base regarding
       securing your cart32 installation.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH