RALF'S CHAT V.12 - http://www.ralfchat.de Ralf's Chat is a free cgi based chat program. But Ralf's Chat has some awful bugs in it. I played myself with the CGI and discovered that the masterpassword is set by a default password called: mpw So, if someone else who carries on this chatedited the config.pm line 10: $masterpassword = "mpw"; # Masterpassword for special commands an attacker could execute all chat operations only knowing the default masterpassword. I discovered that many newbies who have created their own homepages with this chatroom aren't be able to modify line 10 and set a new password. So if anybody is using this chat please open the "config.pm" with notepad (or whatever you like) and edit the "mpw" to your password. But that's not all ! Some CGI newbies sets the CHMOD rights wrong, this means that another person is able to read the "config.pm" file by using this address: http://www.target-domain.com/cgi-bin/config.pm So secure this awful bug set the chmod to 711. I asked myself how the encrpytion works using the registration process joiing the chatroom. If you install the CGI script you must create a folder called "data" where the CHMOD rights must be 777 (read, write, execute to anybody). If someone else put an adress like http://www.target-domain.com/cgi-bin/data/ in the webbrowser the attacker could see all existing files. You can put an index.htm to the /data directory to hide the files making the index.htm working. But now the attacker could read the "nicks" file where the the passwords are saved in plain text. A "nicks" file could be like this one: Daniel;;mypassword;;daniel@wischnewski.net;;Mon Jul 10 07:39:45 2000;;963240000;;10;;standard;;;;;;0;;;;149.225.26.75;;0 Test;;tester;;test@temp.com;;Mon Jul 10 09:05:12 2000;;963240000;;10;;standard;;;;;;0;;;;212.68.121.195;;0 Yet;;another;;yet@another.com;;Mon Jul 10 11:24:48 2000;;963240000;;10;;standard;;;;;;0;;;;198.195.137.145;;0 You can see that the first registered name was "Daniel", his password is "mypassword" with the specified email adress "daniel@wischnewski.net", on the 10th July at 07:39:45 pm with the IP 149.225.26.75. The other two lines are only an example. Bad guys will read the "nicks" file by using the: http://www.target-domain.com/cgi-bin/data/nicks address in webbrowsers. Try the offical demo page at Ralf's page to vie ***all*** registered users with details by using this address: http://cgi.exit.de/~ralfchat2/demo/data/nicks Now the bad guy can login with a registered user name and change the password the user registered with. If you'd like to secure this chatroom, open the perl programmed scripts and search for "nicks". Change the nicks in anything you like, but be sure to backup the scripts before editing. You can although change the chmod to 600. Best Regards, Daniel Wischnewski daniel@wischnewski.net Atfer mailing the bug to Ralf he fixed the CHMOD right at his site, so the http://cgi.exit.de/~ralfchat2/demo/data/nicks trick will be no longer working. Thanks to Ralf for this cool chat.