4th Mar 2003 [SBWID-6038]
COMMAND
	Pastel accounting potential user compromise
SYSTEMS AFFECTED
	PASTEL ACCOUNTING v6.0-6.12 (confirmed), earlier versions (suspected)
PROBLEM
	In -ph33r-blaqhatz, advisory :
	
	blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-b
	l                                                                          l
	a      ,-.        ||||||  ||     //\\   /|||\  ||  ||  //\\ |||||| |||||/  a
	q     /`-'\       ||   )) ||    //  \\ ||   || ||  || //  \\  ||      //   q
	|  .-/     \-,    ||||<<  ||    /||||\ ||   || |||||| /||||\  ||     //    |
	b (  `.___.'  )   ||   )) ||    ||  || ||   || ||  || ||  ||  ||    //     b
	l  `. _____ .'    ||||||  ||||| ||  ||  \|||\\ ||  || ||  ||  ||   /|||||  l
	a                                            \\                            a 
	q-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq
	 http://www.only4jewz.net/efil4zaggin/blaqhatz.advisory.20030303
	
	1. BACKGROUND
	Pastel  Accounting  is  an  accounting  package  widely  used  by  small
	business entities in countries in Africa, Europe,  the  Middle  and  Far
	East and Australasia. The Pastel product includes a facility for  secure
	access to specific modules within the product.
	Further information is available @ http://www.pastel.com
	2. PROBLEM DESCRIPTION
	The security system and application controls used by the Pastel  product
	are broken.
	All user and security information is stored with the file  "ACCUSER.DAT"
	within  the  chosen  client  folder.  No  data  is  encrypted  with  any
	information within this file, nor is any version/validity checking  done
	against this file.
	As such, it is possible to replace the ACCUSER.DAT file with one from  a
	different set of accounts, with known usernames  and  passwords,  access
	and modify the data stored within a specific set of  accounts  and  then
	restore the original file, thus providing no concrete  on  by  whom  the
	files were modified.
	In some contexts, it would even be possible to  falsify  records  in  an
	attempt to 'frame' a particular user with changes.
	Additionally,  some  preliminary  testing  on   the   accuser.dat   file
	displayed an alarming correlation between certain sections of  the  file
	and the passwords chosen. For example,  given  a  group  of  users  with
	chosen passwords "AAAAAAAA",  "BBBBBBBB",  "CCCCCCCC",  "DDDDDDDD",  and
	"ABCDEFGH", the following strings were found in  the  file:  "ssssssss",
	"tttttttt", "uuuuuuuu", "vvvvvvvv", and "stuvwxyz".
SOLUTION
	None yet