Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Explanation Authentix Input Validation Error

From: Lisa Saarloos <lisa () MAGNASHOP NL>
Date: Tue, 7 Nov 2000 10:06:52 +0100
Hi there,

Yesterday I posted an advisory concerning a bug in Authentix that would
allow users to bypass authentification. When I contacted the vendor about
this they were very responsive and after some emails going here and there
we agreed to postpone the bugtraq-posting for two weeks and give them time
to (among other things) create a part on their site explaining the issue.

I was moderately satisfied with the explanation-on-their-site part, that
way the details would be known anyway, though at a slower rate and everyone
would be happy..

But I haven't heard from them since, and I couldn't find a reference to the
issue on the site, and I still posted an incomplete advisory...

I want to set that right. I agree with vulnhelp that details will be known
eventually, and because the exploit is so very simple it can't take long,
so why not share it right away, so we all know what's going on, and can act
upon it...

Here goes:

As mentioned in the advisory (bugtraq-ID 1907), Authentix provides a way to
protect pages from unauthorized views.. But by providing a specially formed
URL you won't be prompted for your username and password.

Normally, after logging in, and after being redirected to your part of the
site, the URL looks like this:

http://my.secured.server/protected-directory/filename.ext

By giving a URL in the form:

http://my.secured.server/protected-directory./filename.ext (place a dot
after the shieldeddirectory AND provide a direct filename)

there's a good change you will be able to view the protected pages anyway.

In most cases a filename isn't that hard to guess (index.html, default.htm,
whatever), and with a little searching and guessing the name of the
protected-directory can be found in the same way...

It seems it does not work for everything, for example, when I found out
about this, images wouldn't show.. There seem to be some other limitations,
but I could not fit them in a "general rule" so quickly.. Neither ASP or
this kind of windows programming are in my expertise area, work/life goes
on, and Flicks Software was very responsive at that time, so I didn't look
into it any further...

Hope this make it a little clearer...

with regards,

Lisa Saarloos

Beheer Magnashop International
beheer () magnashop nl
Zeestraat 78
2518 AD DEN HAAG
The Netherlands
+31 70 3604848
Previous By Date Next
Previous By Thread Next

Current thread: