GoFuckYourself.com - Adult Webmaster Forum - View Single Post

[Labret] · 10-30-2001, 06:43 AM

http://securitytracker.com/alerts/2001/Oct/1002642.html

iBill Internet Commerce Billing System Uses Weak Authentication Method in the Default Configuration, Allowing Remote Users to Modify User Accounts on the System

Date: Oct 26 2001

Impact: Modification of user information, User access via network

Exploit Included: Yes

Description: A vulnerability was reported in the iBill Internet commerce billing system. Weak authentication allows remote users to modify the system configuration.

It is reported that iBill uses a weak password authentication method for the "ibillpm.pl" Perl-based user management script, part of the Password Management system. The weak password is reportedly based on a customer-specific fixed value plus two lowercase letters.

A remote user can feasibly conduct a brute force attack, generating POST messages to guess the password and add, delete, or change the password of users in the .htpasswd file.

It is also reported that the software does not log POST data and does not track username changes.

This vulnerability affects users that use iBill's Password Managment system in the default configuration.

Demonstration exploit code is provided in the Source Message.

Impact: A remote user can add an arbitrary username and password to a web site's "member" section.

Solution: No vendor solution was available at the time of this entry.

The author of the report has provided the following workarounds:

"1) Move the script to a less obvious place than the default so it's harder to find (don't forget to change the path at the iBill admin website).
2) Request that iBill set a more secure password for the ibillpm.pl script.
3) Change your webserver config (httpd.conf for Apache) to only allow addresses from .ibill.com to access the path to ibillpm.pl. See your webserver documentation for details on how to do this."

10-30-2001, 06:43 AM
[Labret] Registered User Industry Role: Join Date: May 2001 Location: Са́нкт-Петербу́рг Posts: 10,945	iBill bug http://securitytracker.com/alerts/2001/Oct/1002642.html iBill Internet Commerce Billing System Uses Weak Authentication Method in the Default Configuration, Allowing Remote Users to Modify User Accounts on the System Date: Oct 26 2001 Impact: Modification of user information, User access via network Exploit Included: Yes Description: A vulnerability was reported in the iBill Internet commerce billing system. Weak authentication allows remote users to modify the system configuration. It is reported that iBill uses a weak password authentication method for the "ibillpm.pl" Perl-based user management script, part of the Password Management system. The weak password is reportedly based on a customer-specific fixed value plus two lowercase letters. A remote user can feasibly conduct a brute force attack, generating POST messages to guess the password and add, delete, or change the password of users in the .htpasswd file. It is also reported that the software does not log POST data and does not track username changes. This vulnerability affects users that use iBill's Password Managment system in the default configuration. Demonstration exploit code is provided in the Source Message. Impact: A remote user can add an arbitrary username and password to a web site's "member" section. Solution: No vendor solution was available at the time of this entry. The author of the report has provided the following workarounds: "1) Move the script to a less obvious place than the default so it's harder to find (don't forget to change the path at the iBill admin website). 2) Request that iBill set a more secure password for the ibillpm.pl script. 3) Change your webserver config (httpd.conf for Apache) to only allow addresses from .ibill.com to access the path to ibillpm.pl. See your webserver documentation for details on how to do this."