Title:Weak password protection in multiple Internet Cafe products
Reporter:Blue Moon Consulting
  1. VDC iNCM beta 9
  2. 24h NetCafe
Fixed in:--


The products mentioned in this advisory stores users' passwords in plain text in their databases. If an attacker is able to obtain the database file, these sensitive data will be compromised. Advisory BMSA-2008-02 detailed a directory traversal vulnerability (moderate severity) in VDC iNCM which, when coupled with this vulnerability (low severity), would result in an elevation of severity to critical.

These products also ignore case sensitivity and only allow limited charsets in passwords. This greatly reduces the search space of a brute-forcing prorgam, making it more likely for an attacker to find a working password.


There is no workaround.


There is no fix at the moment. Customers are advised to contact the vendor directly.


Blue Moon Consulting adapts RFPolicy v2.0 in notifying vendors.

Initial vendor contact:
 May 13, 2008: alert sent to and
Vendor response:
 May 14, 2008: acknowledgement received from
Public disclosure:
 May 20, 2008
Exploit code:no exploit code needed


The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.