Re: Editing your ISP Account Details

[amonotod <amonotod () NETSCAPE NET>]

On Thu 10/26/00 11:27 AM, Ankit wrote:
> I don't know whether this has come up earlier or not. But recently, I
> discovered a security loophole exisiting in Netscape Enterprise 
This is not a vulnerability, it is design feature.

> (Atleast, haven't tested on other OS's.) 
NES is not an OS, it is a webserver.

> which allows any person having 
> an account on that server to edit account details like Contact 
> Information etc, 
Yep, end-user access to their own account info, but nothing else.

> even if the sysadmin does not want normal users to do so. 
Not enabled by default.

> This can lead to disastorous results, when applied to ISP's running 
> the affected Operating Systems. This would mean that people can commit 
> crimes, change their contact details in their ISP Database and get away 
> scott free, as the contact details do not lead to the actual culprits. 
This is not true.  You can change only your typical user info and password,
but not your username.  This database is only used for access to the dial-up
service, POP/IMAP service, and possibly the user FTP service.  Like I said
though, you can change your password and contact info, but not  your user
name.  Nor can you access other accounts, or the admin server itself. 

This database is almost definitely not tied directly to accounting, which will
still have your username, and your real contact info.  I'll tell you what, try
this:  Go into the AdminServer, and change any of your info to whatever you
want.  Now wait until the next time you should get billed for service.  If you
don't get a bill, congratulations, you have a real moron working at your ISP
(although your account will probably be turned off shortly for non-payment).
Otherwise, like I said, it's enduser display info only.  

Now here's how this feature may be used as a vulnerability, but only as a way
reap others' personal information:  Point your LDAP client (if the ISP is
using LDAP, and not NES' builtin database.) at their server, if they have not
secured it properly, you'll see every other clients infomation, which will be
real info, unless they also know which port to connect to in order to change
their own info.

> I would like to get your feedback on this issue and correct me wherever, 
> I have gone wrong. I have attached the entire process for you to see.
See above for where you have gone wrong.  I have listed below some links for
you, so that you may better understand what you are/are not seeing. 
iPlanet/Netscape make kick ass server products, and I freakin swear by them. 
Screw billy boy's Internet Insanity Server.

> Have a Nice Day,
> Ankit Fadia
> Founder, Hacking Truths
> http://hackingtruths.box.sk
Perhaps you mean "Hacking Myths,"
amonotod

Link to all Netscape Server Product manuals:
http://docs.iplanet.com/docs/manuals/enterprise.html

Link to logging in to the admin server, with access levels:
http://docs.iplanet.com/docs/manuals/enterprise/mngserv/concepts.htm#1014261

The concept for which your "vulnerability" depends, distributed admin:
http://docs.iplanet.com/docs/manuals/enterprise/mngserv/config.htm#1069068

If you'd like to take the product out for spin, so next time you wont be
talking out your arse, try this link:
http://www.iplanet.com/downloads/download/


____________________________________________________________________
Get your own FREE, personal Netscape WebMail account today at http://home.netscape.com/webmail