iBill bug

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • [Labret]
    Registered User
    • May 2001
    • 10945

    #1

    iBill bug

    http://securitytracker.com/alerts/2001/Oct/1002642.html

    iBill Internet Commerce Billing System Uses Weak Authentication Method in the Default Configuration, Allowing Remote Users to Modify User Accounts on the System

    Date: Oct 26 2001

    Impact: Modification of user information, User access via network

    Exploit Included: Yes

    Description: A vulnerability was reported in the iBill Internet commerce billing system. Weak authentication allows remote users to modify the system configuration.

    It is reported that iBill uses a weak password authentication method for the "ibillpm.pl" Perl-based user management script, part of the Password Management system. The weak password is reportedly based on a customer-specific fixed value plus two lowercase letters.

    A remote user can feasibly conduct a brute force attack, generating POST messages to guess the password and add, delete, or change the password of users in the .htpasswd file.

    It is also reported that the software does not log POST data and does not track username changes.

    This vulnerability affects users that use iBill's Password Managment system in the default configuration.

    Demonstration exploit code is provided in the Source Message.

    Impact: A remote user can add an arbitrary username and password to a web site's "member" section.

    Solution: No vendor solution was available at the time of this entry.

    The author of the report has provided the following workarounds:

    "1) Move the script to a less obvious place than the default so it's harder to find (don't forget to change the path at the iBill admin website).
    2) Request that iBill set a more secure password for the ibillpm.pl script.
    3) Change your webserver config (httpd.conf for Apache) to only allow addresses from .ibill.com to access the path to ibillpm.pl. See your webserver documentation for details on how to do this."

  • awechen
    Confirmed User
    • Oct 2001
    • 162

    #2
    Originally posted by [Labret]:
    3) Change your webserver config (httpd.conf for Apache) to only allow addresses from .ibill.com to access the path to ibillpm.pl. See your webserver documentation for details on how to do this."
    do this:
    make a new virtuall host on a other port
    like http://foo.com:888/ibill.pl
    and enable only this port in your firewall config connections from ibill.
    ......
    if u handal this by apache ..this in unsecure aginst IP spoofing
    a firewall rule will be nicer.

    or better use thge I-bill pin code system

    ------------------
    "Shock your systemadministration! Read manual-pages!"
    ah you have been blessed with 72 virgins?

    Comment

    • quiet
      we'll miss you our friend. RIP
      • Sep 2001
      • 25115

      #3
      not that related, but i am seeing some weird behavior with the cmi login page starting about 30 minutes ago. logging in just keeps giving the login page, and you never go any farther. haven't seen this type of 'error' in almost 4 years of ibill. weird.
      we'll miss you our friend. RIP

      Comment

      • pimplink
        Confirmed User
        • Jun 2001
        • 9535

        #4
        Hmmmm, maybe this relates to why ARS stats "jump and dive" from week to week. Maybe remote hacking diverts sales from many webmasters to other accounts.

        Hopefully, if this is true, the v 2.5 ARS fix will end this problem, assuming it exists?

        Originally posted by [Labret]:
        http://securitytracker.com/alerts/2001/Oct/1002642.html

        iBill Internet Commerce Billing System Uses Weak Authentication Method in the Default Configuration, Allowing Remote Users to Modify User Accounts on the System

        Date: Oct 26 2001

        Impact: Modification of user information, User access via network

        Exploit Included: Yes

        Description: A vulnerability was reported in the iBill Internet commerce billing system. Weak authentication allows remote users to modify the system configuration.

        It is reported that iBill uses a weak password authentication method for the "ibillpm.pl" Perl-based user management script, part of the Password Management system. The weak password is reportedly based on a customer-specific fixed value plus two lowercase letters.

        A remote user can feasibly conduct a brute force attack, generating POST messages to guess the password and add, delete, or change the password of users in the .htpasswd file.

        It is also reported that the software does not log POST data and does not track username changes.

        This vulnerability affects users that use iBill's Password Managment system in the default configuration.

        Demonstration exploit code is provided in the Source Message.

        Impact: A remote user can add an arbitrary username and password to a web site's "member" section.

        Solution: No vendor solution was available at the time of this entry.

        The author of the report has provided the following workarounds:

        "1) Move the script to a less obvious place than the default so it's harder to find (don't forget to change the path at the iBill admin website).
        2) Request that iBill set a more secure password for the ibillpm.pl script.
        3) Change your webserver config (httpd.conf for Apache) to only allow addresses from .ibill.com to access the path to ibillpm.pl. See your webserver documentation for details on how to do this."

        Need Mainstream Content and SEO?
        SEO * Website Copy * Blogs
        Blogging - PR Work - Forum Marketing - Social Marketing - Link building - Articles
        100% Guaranteed Content!

        Comment

        Working...