Tuesday, July 26, 2011

Authentix Vulnerabilities

While doing some work on an Authentix system, I discovered a few, very basic, JavaScript injection and cross-site scripting vulnerabilities. After finding these, I've done some research and it appears that these issues have been discovered and reported to the vender previously (in previous versions) yet they still remain in the latest version of the software. The issue is mitigated slightly by the fact that the vulnerbility occurs on an admin page, visible after login, but I wouldn't doubt that other areas of the site exhibit the same issues.

Authentix is a webpage protection tool that uses IIS and NT user names as a backend. You can read more about the product here: http://www.flicks.com/flicks/authx.htm. To me, it seems like a very antiquated tool, but apparently it is still used in production environments.

The vulnerability occurs within the remote administration webpage while editing user accounts. After logging in, browse to the delete user admin page at: https://server.site.com/scripts/aspadmin/deleteUserSelect.asp

This page allows you to enter the user name of the user you wish to delete.
When you click "delete user," the site appears to silently pass the parameter to the next page as shown here in the URL:
And here on the webpage:
So this part got me thinking. After looking into the code a bit, the textbox where the name is originally entered is called "username." So suppose we pass that in via the URL rather than typing it in the box and clicking the button? Let's try it:
Now this is why we have a problem. The webpage appears to just be displaying on the page whatever text was typed after "username=" in the URL. This is exactly how JavaScript injection and cross-site scripting start. So now let's try a new URL:


(This code was taken from http://ha.ckers.org/xss.html which is a very nice XSS cheat-sheet).

This URL works nicely:

This works on several other pages as well, including some that are persistent. I have only tested to see whether a few other pages are vulnerable, but the entire site appears to be a bit outdated, especially from a design standpoint. I have emailed the company again (they have been contacted previously about this) and, if I receive a response, will include it here.

No comments:

Post a Comment