OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: ppp-design (securityppp-design.de)
Date: Sun Apr 28 2002 - 15:59:52 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ppp-design found the following authentication bypass vulnerability in
    Blahz-DNS:

    Details
    - -------
    Product: Blahz-DNS
    Affected Version: 0.2 and maybe all versions before
    Immune Version: 0.25
    OS affected: OS indipentend (php/mysql)
    Vendor-URL: http://blahzdns.sourceforge.net
    Vendor-Status: informed, new version avaiable
    Security-Risk: very high
    Remote-Exploit: Yes

    Introduction
    - ------------
    Blahz-DNS is PHP/MySQL based DNS (BIND 9) administration with support
    for primary and secondary zones, user authentication, User and Admin
    account types, and restricted access for user accounts to certain
    primary and secondary zones. Unfortunately the security concept is
    broken by design. One can easily access any page different to
    login.php without any proper password.

    More details
    - ------------
    The software is using a very poor security concept: The user is only
    asked for a valid user password combination at the login page. Access
    to any other page is granted without any password.

    Proof-of-concept
    - ----------------
    At http://www.example.com/dostuff.php?action=modify_user a blackhat
    can change existing users (eg. changing passwords) or add new users
    without beeing authorized.

    Temporary-Fix
    - -------------
    Use apache's .htpasswd to temporary restrict access to blahzdns.

    Fix
    - ---
    Use at least version 0.25.

    Security-Risk
    - -------------
    A blackhat can easily manipulate DNS entries remotly without being
    authorized in any way. This often is the first step of a hacking
    scenario. Therefore we are rating the security risk to very high.

    Vendor status
    - -------------
    The author has reacted very fast and published a new version in less
    than 12 hours. All users are encouraged to upgrade.

    Disclaimer
    - ----------
    All information that can be found in this advisory is believed to be
    true, but maybe it is not. ppp-design can not be held responsible for
    the use or missuse of this information. Redistribution of this text is
    only permitted if the text has not been altered and the original
    author ppp-design (http://www.ppp-design.de) is mentioned.

    This advisory can be found online:
    http://www.ppp-design.de/advisories.php

    - --
    ppp-design
    http://www.ppp-design.de
    Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc
    Fingerprint: 5B02 0AD7 A176 3A4F CE22 745D 0D78 7B60 B3B5 451A
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: Weitere Infos: siehe http://www.gnupg.org

    iD8DBQE8zGLIDXh7YLO1RRoRAt6jAKD/OWtKVFYPf43qf+bn7FkgO/aQNQCg+SZM
    evvtdioc+eCyDb6BljBbO50=
    =pJKo
    -----END PGP SIGNATURE-----