Vulnerability Development mailing list archives
Re: Editing your ISP Account Details
From: amonotod <amonotod () NETSCAPE NET>
Date: Fri, 27 Oct 2000 12:02:57 CDT
On Thu 10/26/00 11:27 AM, Ankit wrote:
I don't know whether this has come up earlier or not. But recently, I discovered a security loophole exisiting in Netscape Enterprise
This is not a vulnerability, it is design feature.
(Atleast, haven't tested on other OS's.)
NES is not an OS, it is a webserver.
which allows any person having an account on that server to edit account details like Contact Information etc,
Yep, end-user access to their own account info, but nothing else.
even if the sysadmin does not want normal users to do so.
Not enabled by default.
This can lead to disastorous results, when applied to ISP's running the affected Operating Systems. This would mean that people can commit crimes, change their contact details in their ISP Database and get away scott free, as the contact details do not lead to the actual culprits.
This is not true. You can change only your typical user info and password, but not your username. This database is only used for access to the dial-up service, POP/IMAP service, and possibly the user FTP service. Like I said though, you can change your password and contact info, but not your user name. Nor can you access other accounts, or the admin server itself. This database is almost definitely not tied directly to accounting, which will still have your username, and your real contact info. I'll tell you what, try this: Go into the AdminServer, and change any of your info to whatever you want. Now wait until the next time you should get billed for service. If you don't get a bill, congratulations, you have a real moron working at your ISP (although your account will probably be turned off shortly for non-payment). Otherwise, like I said, it's enduser display info only. Now here's how this feature may be used as a vulnerability, but only as a way reap others' personal information: Point your LDAP client (if the ISP is using LDAP, and not NES' builtin database.) at their server, if they have not secured it properly, you'll see every other clients infomation, which will be real info, unless they also know which port to connect to in order to change their own info.
I would like to get your feedback on this issue and correct me wherever, I have gone wrong. I have attached the entire process for you to see.
See above for where you have gone wrong. I have listed below some links for you, so that you may better understand what you are/are not seeing. iPlanet/Netscape make kick ass server products, and I freakin swear by them. Screw billy boy's Internet Insanity Server.
Have a Nice Day, Ankit Fadia Founder, Hacking Truths http://hackingtruths.box.sk
Perhaps you mean "Hacking Myths," amonotod Link to all Netscape Server Product manuals: http://docs.iplanet.com/docs/manuals/enterprise.html Link to logging in to the admin server, with access levels: http://docs.iplanet.com/docs/manuals/enterprise/mngserv/concepts.htm#1014261 The concept for which your "vulnerability" depends, distributed admin: http://docs.iplanet.com/docs/manuals/enterprise/mngserv/config.htm#1069068 If you'd like to take the product out for spin, so next time you wont be talking out your arse, try this link: http://www.iplanet.com/downloads/download/ ____________________________________________________________________ Get your own FREE, personal Netscape WebMail account today at http://home.netscape.com/webmail
Current thread:
- Editing your ISP Account Details Ankit Fadia (Oct 27)
- Re: Editing your ISP Account Details Steve Mosher (Oct 29)
- <Possible follow-ups>
- Re: Editing your ISP Account Details amonotod (Oct 29)