Vulnerability

    Cart32

Affected

    Cart32 v3.5 build 619

Description

    Colin Hart found following.  Cart32 v3.5 build 619, in the default
    configuration from a remote  installation.  Earlier versions  with
    other installation methods may be affected.

    The Cart32 installation creates a file, cart32.ini, which contains
    the administrator password in hashed form.  The encryption on  the
    password is weak  and can easily  be broken.   At Cart32's request
    the algorithm will not be disclosed in this advisory.

    Also,  in  some  circumstances,  the  cart32.ini  may  contain the
    current and  historical administrative  passwords in  plaintext in
    the Debug section of the file.

Solution

    1) Upgrade  to  version  3.5a  build 710, which contains  stronger
       password encryption  and removes  the debug  issue, as  soon as
       possible.  It is available from http://www.cart32.com/update
    2) Follow Cart32's advice on how to secure your Cart32 files which
       is   at   http://www.cart32.com/kbshow.asp?article=3DC050   and
       includes a reference  to the location  of the cart32.ini  file.
       There  are  other  articles  in  their knowledge base regarding
       securing your cart32 installation.