iBill bug - GoFuckYourself.com

[Labret] · 10-30-2001, 06:43 AM

http://securitytracker.com/alerts/2001/Oct/1002642.html

iBill Internet Commerce Billing System Uses Weak Authentication Method in the Default Configuration, Allowing Remote Users to Modify User Accounts on the System

Date: Oct 26 2001

Impact: Modification of user information, User access via network

Exploit Included: Yes

Description: A vulnerability was reported in the iBill Internet commerce billing system. Weak authentication allows remote users to modify the system configuration.

It is reported that iBill uses a weak password authentication method for the "ibillpm.pl" Perl-based user management script, part of the Password Management system. The weak password is reportedly based on a customer-specific fixed value plus two lowercase letters.

A remote user can feasibly conduct a brute force attack, generating POST messages to guess the password and add, delete, or change the password of users in the .htpasswd file.

It is also reported that the software does not log POST data and does not track username changes.

This vulnerability affects users that use iBill's Password Managment system in the default configuration.

Demonstration exploit code is provided in the Source Message.

Impact: A remote user can add an arbitrary username and password to a web site's "member" section.

Solution: No vendor solution was available at the time of this entry.

The author of the report has provided the following workarounds:

"1) Move the script to a less obvious place than the default so it's harder to find (don't forget to change the path at the iBill admin website).
2) Request that iBill set a more secure password for the ibillpm.pl script.
3) Change your webserver config (httpd.conf for Apache) to only allow addresses from .ibill.com to access the path to ibillpm.pl. See your webserver documentation for details on how to do this."

awechen · 10-30-2001, 09:48 AM

Quote:

Originally posted by [Labret]:
3) Change your webserver config (httpd.conf for Apache) to only allow addresses from .ibill.com to access the path to ibillpm.pl. See your webserver documentation for details on how to do this."

do this:
make a new virtuall host on a other port
like http://foo.com:888/ibill.pl
and enable only this port in your firewall config connections from ibill.
......
if u handal this by apache ..this in unsecure aginst IP spoofing
a firewall rule will be nicer.

or better use thge I-bill pin code system

------------------
"Shock your systemadministration! Read manual-pages!"

quiet · 10-30-2001, 01:29 PM

not that related, but i am seeing some weird behavior with the cmi login page starting about 30 minutes ago. logging in just keeps giving the login page, and you never go any farther. haven't seen this type of 'error' in almost 4 years of ibill. weird.

pimplink · 10-30-2001, 01:44 PM

Hmmmm, maybe this relates to why ARS stats "jump and dive" from week to week. Maybe remote hacking diverts sales from many webmasters to other accounts.

Hopefully, if this is true, the v 2.5 ARS fix will end this problem, assuming it exists?

Quote:

Originally posted by [Labret]:
http://securitytracker.com/alerts/2001/Oct/1002642.html

iBill Internet Commerce Billing System Uses Weak Authentication Method in the Default Configuration, Allowing Remote Users to Modify User Accounts on the System

Date: Oct 26 2001

Impact: Modification of user information, User access via network

Exploit Included: Yes

Description: A vulnerability was reported in the iBill Internet commerce billing system. Weak authentication allows remote users to modify the system configuration.

It is reported that iBill uses a weak password authentication method for the "ibillpm.pl" Perl-based user management script, part of the Password Management system. The weak password is reportedly based on a customer-specific fixed value plus two lowercase letters.

A remote user can feasibly conduct a brute force attack, generating POST messages to guess the password and add, delete, or change the password of users in the .htpasswd file.

It is also reported that the software does not log POST data and does not track username changes.

This vulnerability affects users that use iBill's Password Managment system in the default configuration.

Demonstration exploit code is provided in the Source Message.

Impact: A remote user can add an arbitrary username and password to a web site's "member" section.

Solution: No vendor solution was available at the time of this entry.

The author of the report has provided the following workarounds:

"1) Move the script to a less obvious place than the default so it's harder to find (don't forget to change the path at the iBill admin website).
2) Request that iBill set a more secure password for the ibillpm.pl script.
3) Change your webserver config (httpd.conf for Apache) to only allow addresses from .ibill.com to access the path to ibillpm.pl. See your webserver documentation for details on how to do this."

10-30-2001, 06:43 AM	#1
[Labret] Registered User Industry Role: Join Date: May 2001 Location: Са́нкт-Петербу́рг Posts: 10,945	iBill bug http://securitytracker.com/alerts/2001/Oct/1002642.html iBill Internet Commerce Billing System Uses Weak Authentication Method in the Default Configuration, Allowing Remote Users to Modify User Accounts on the System Date: Oct 26 2001 Impact: Modification of user information, User access via network Exploit Included: Yes Description: A vulnerability was reported in the iBill Internet commerce billing system. Weak authentication allows remote users to modify the system configuration. It is reported that iBill uses a weak password authentication method for the "ibillpm.pl" Perl-based user management script, part of the Password Management system. The weak password is reportedly based on a customer-specific fixed value plus two lowercase letters. A remote user can feasibly conduct a brute force attack, generating POST messages to guess the password and add, delete, or change the password of users in the .htpasswd file. It is also reported that the software does not log POST data and does not track username changes. This vulnerability affects users that use iBill's Password Managment system in the default configuration. Demonstration exploit code is provided in the Source Message. Impact: A remote user can add an arbitrary username and password to a web site's "member" section. Solution: No vendor solution was available at the time of this entry. The author of the report has provided the following workarounds: "1) Move the script to a less obvious place than the default so it's harder to find (don't forget to change the path at the iBill admin website). 2) Request that iBill set a more secure password for the ibillpm.pl script. 3) Change your webserver config (httpd.conf for Apache) to only allow addresses from .ibill.com to access the path to ibillpm.pl. See your webserver documentation for details on how to do this."

10-30-2001, 01:29 PM	#3
quiet we'll miss you our friend. RIP Industry Role: Join Date: Sep 2001 Location: Fernie, BC Posts: 25,115	not that related, but i am seeing some weird behavior with the cmi login page starting about 30 minutes ago. logging in just keeps giving the login page, and you never go any farther. haven't seen this type of 'error' in almost 4 years of ibill. weird.