2nd Mar 2003 [SBWID-6034]
COMMAND
	CoffeeCup users password and config remotely accessible
SYSTEMS AFFECTED
	CoffeeCup Password Wizard All Versions
PROBLEM
	In   Rynho   Zeros   Web   [http://www.RZWEB.com.ar]    &    ToOcOoL
	[http://www.valenciahack.com/] advisory :
	go to the login panel, see sourcecode HTML in search of the location  of
	the file .swf used to make login.
	Example:
	Go to
	
	 https://www.victim.com/billing/
	
	See sourcecode,
	
	[...]
	        ID=billing WIDTH=146 HEIGHT=125>
	        <PARAM NAME=movie VALUE="billing.swf">
	        <PARAM NAME=quality VALUE=high>
	[...]
	(https://www.victim.com/billing/billing.swf)
	
	the file of the passwords is called just as the file of login, but  with
	the extension .apw
	now, go to & download the file:
	
	https://www.victim.com/billing/billing.apw 
	
	(APW Is The COFFEECUP Password Wizard File)
	by I complete it opens east file with any text editor and found all  the
	users with its passwords and the URL of direct access to its options.
	Example of passwords file:
	
	--------- billing.apw -----------
	COFFEECUP PASSWORD WIZARD FILE WWW.COFFEECUP.COM PLEASE DO NOT EDIT!!!!
	MOVIE  WIDTH:120  MOVIE  HEIGHT:100  MOVIE   FRAME   RATE:0   MOVIE   BK
	COLOR:$00ECECEC MOVIE  DEFAULT  URL:  MOVIE  DEFAULT  FRAME:  MOVIE  SWF
	NAME:billing.swf  MOVIE  SWF  PATH:C:\Documents  and  Settings\vhost\Mis
	documentos\Mis Webs\victim.com\new website project\billing\  MOVIE  FONT
	NAME:MS Sans Serif MOVIE FONT  SIZE:8  MOVIE  FONT  COLOR:clBlack  MOVIE
	TRANSPARENT TRUE MOVIE VERTICAL TRUE
	USER BOX LEFT:2 USER BOX TOP:1 USER BOX  WIDTH:116  USER  BOX  HEIGHT:34
	USER BOX CAPTION:Username
	PASS BOX LEFT:2 PASS BOX TOP:36 PASS BOX WIDTH:116  PASS  BOX  HEIGHT:34
	PASS BOX CAPTION:Password
	BUTTON LEFT:15 BUTTON TOP:78 BUTTON  WIDTH:90  BUTTON  HEIGHT:20  BUTTON
	PATH: BUTTON TX:1 BUTTON TY:1
	ADD USER:0anyweb xnet0305  https://www.victim.com/billing/anyweb0001.htm
	ADD                        USER:0anysite                        xnet2904
	https://www.victim.com/billing/anysite0002.htm [...] END
	--------- billing.apw -----------
	
	Example of user & pass on billing:
	
	user: anyweb
	pass: xnet0305
	url option panel: https://www.victim.com/billing/anyweb0001.htm
	
	 Update (04 March 2003)
	 ======
	Per-Ola Kristiansson adds :
	The Java version is also vulnerable. The username, password  and  secret
	url can be extracted from the param "0" in the  html  code.  I  wrote  a
	small program for this purpose a couple of months ago.
	Password               Wizard                java                sample:
	http://www.coffeecup.com/java-password/samples/
	
	<applet code="joylock.class" width=342 height=140>
	<param name="GENERATOR" value="CREATED WITH THE APPLET PASSWORD WIZARD
	WWW.COFFEECUP.COM">
	<param name="GENERAL"
	value="1|11|004080|FFFFFF|wslzebajkcnrvogpquftxhidmyvttp://aaa.jnsseejrp.jny
	/ywxxce.vtyc| |Login Complete.|Enter the Username and Password.| | |">
	<param name="0"
	value="6|4|36|0|cftzmapuxnrsjibgwykqvleodhlfegvwcwlczccg://qqq.axbbwwahg.axe
	/enyyvw.zcev">
	</applet>
	
SOLUTION
	?