Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: win5135.htm

Timbuktu user database may be overwritten



25th Feb 2002 [SBWID-5135]
COMMAND

	Timbuktu user database may be overwritten

SYSTEMS AFFECTED

	Timbuktu Pro 4.5

PROBLEM

	Ernesto Tequila [http://www.digreb.de] found following.
	

	Timbuktu is a  Remote  Access  Server  /  Client  for  Windows  and  Mac
	environments. It gives the user control over  the  server  according  to
	it\'s restrictions set in the User-Database  of  the  server.  All  user
	information is stored on the server side in a file called tb2.plu  which
	normally resides in  :\\Programme\\Timbuktu  Pro.  Timbuktu  stores  the
	usernames in cleartext in this file giving  anyone  the  possibility  to
	look up user accounts. Even more critical is the point  that  this  file
	is not locked during the operation of the server, giving  intruders  the
	possibility to replace the tb2.plu file with one created at home with  a
	known username / password combination and no restrictions at all.  After
	a restart of the Timbuktu application it reads the  new  user  /  passes
	from the file, granting the intruder full administrator access!

SOLUTION

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH