Several “hackers” discovered the password to the sample profiles on www.subprofile.com (All the servers). On 7/23/02, A guy going by the alias “JTM” decided he wanted to know how to change the subprofile without a password. He started a program called “webproxy” developed by @stake. This program allows you to EASILY change the variables passed through files on websites. He figured out how to change any member’s profile by changing the name field that is passed during the update of the profile. Then he learned that if you make the name field a non-existant name that the PHP script subprofile uses would spit out an error revealing how the passwords are stored. This error looked something like this:
Warning: Unable to access v5jp8mb23ewu/username.txt in /home/virtual/site1/fst/var/www/html/change.php on line 51
Warning: fopen("v5jp8mb23ewu/username.txt","r") - No such file or directory in /home/virtual/site1/fst/var/www/html/change.php on line 51
Warning: Supplied argument is not a valid File-Handle resource in /home/virtual/site1/fst/var/www/html/change.php on line 52
Warning: Supplied argument is not a valid File-Handle resource in /home/virtual/site1/fst/var/www/html/change.php on line 53
Warning: Cannot add header information - headers already sent by (output started at /home/virtual/site1/fst/var/www/html/change.php:51) in /home/virtual/site1/fst/var/www/html/change.php on line 141
As you can see the PHP file is trying to access http://server.subprofile.com/v5jp8mb23ewu/username.txt which doesn’t exist and it spits out and error. As he expected, all the usernames are stored exactly like this. He was able to obtain passwords to any username now. He was able to find people with a subprofile get their password and usually most people use the same password so he could go on their AIM sn. This is how the vulnerability was found for obtaining user’s passwords.
-JTM
