Microsoft Commerce Server 2002: Logon as known user with a false password

2006.03.18
Credit: Dimitri
Risk: Medium
Local: Yes
Remote: Yes
CVE: CVE-2006-1257
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Microsoft Commerce Server 2002: Logon as known user with a false password Vulnerable: Microsoft Windows Server 2000/2003 + Internet Information Server 5/6 + Commerce Server 2002 Discussion: Microsoft Commerce Server is used by company's who want to give customers the opportunity to change there own details on the internet or buying products. Company's who use it are: eCommerce site's or interactive company's The problem lays in the sample files of "authfiles". If you make your own Solution site in Commerce Server and the "authfiles" are installed on your server, you're vulnerable for positive user logon's using false passwords. If you know a user (some site's uses a e-mail address) and you go to http://site/authfiles/login.asp (some site's has it in an other directory) and you enter the Username and a false password you get a error. After the error's you go with the same browser to the directory root of the site http://site/ You get an other error and if you go again to the site and you are logon as the entered user. Vendor Response time: 31-03-2003 - First contact 26-08-2003 - Fixed in SP2 Status: Fixed by Microsoft Download & Install Service Pack 2: http://www.microsoft.com/downloads/details.aspx?FamilyID=58e6d658-cc3e-4 846- 8ef7-264e6eeb4c1e -- Quote Readme.htm -- A fix for a security issue reported by Dimitri van de Giessen -- End Quote Readme.htm -- Also they already made a warning before Service Pack 2 came: http://msdn.microsoft.com/library/en-us/csvr2002/htm/cs_se_securityconce pts_ cbgw.asp?frame=true#cs_se_securecode_viuy -- Quote Microsoft -- Solution Sites AuthFiles Folder: Remove Directory The Solution Sites include a folder called AuthFiles. You can use the files in this folder if you want to integrate AuthFilter into your site. If you do not want to use AuthFilter, you must remove the AuthFiles directory or remove the permissions from the directory. If you do not, your site will be a security risk. -- End Quote Microsoft --. Contact: Dimitri van de Giessen E-mail d.vd.giessen (at) xs4all (dot) nl [email concealed] Tel. number: +31622607367 (The Netherlands)


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top