[NT] Back Office Web Administration Authentication Bypass
From: support@securiteam.comDate: 04/18/02
- Previous message: support@securiteam.com: "[UNIX] Multiple Vulnerabilities Found in PVote"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 18 Apr 2002 21:45:37 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Back Office Web Administration Authentication Bypass
------------------------------------------------------------------------
SUMMARY
With the Microsoft Back Office suite of products comes a web based
administration ASP based application that runs on IIS. Normally, to use
the administration pages a user must authenticate but NGSSoftware have
discovered that it is trivial to bypass this.
DETAILS
Vulnerable systems:
* Microsoft's Back Office Web Administrator 4.0
* Microsoft's Back Office Web Administrator 4.5
Each of the Back Office Web Administrator ASP pages checks to see if the
user has been authenticated but does this with the following snippet of
code
If Request.ServerVariables("auth_type") = "" Then
Response.Status = "401 ACCESS DENIED"
Response.End
End If
This is the only "authorization/authentication" performed. As such it's
trivial to bypass:
GET /BOADMIN/BACKOFFICE/SERVICES.ASP HTTP/1.1
Host: hostname
Authorization: Basic
[enter]
[enter]
No credentials are required as, technically the auth_type environment
variable has been set, regardless of whether a user name or password have
been supplied.
Risk and Mitigating Factors:
By default, the Back Office Web Administrator is limited to the loop-back
address (127.0.0.1) which means that it cannot be accessed remotely.
However, it is not uncommon to change this to allow for remote
administration; tying the Administrator to the loop-back address makes it
useless.
Basic authentication also needs to be enabled which, again, is not
uncommon.
Fix Information:
For those that match this criterion they are strongly urged to obtain the
patch from Microsoft. Please see
<http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316838>
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316838 for more
details.
ADDITIONAL INFORMATION
The information has been provided by <mailto:nisr@ngssoftware.com>
NGSSoftware Insight Security Research.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Multiple Vulnerabilities Found in PVote"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
