#3 Authentication bypass through redirect abuse

closed
Chris Travers
None
5
2014-08-20
2006-11-20
No

Redirection in logout code of login.pl can be used to gain some access to the system without authenticating.

http://127.0.0.1/ledger-smb/login.pl?login=demo&script=am.pl%3faction%3dcompany_logo&action=logout

Note: I have only confirmed this in 1.2beta2 (+fix for 1599342) and svn at this point in time

Discussion

  • Chris Travers
    Chris Travers
    2006-11-21

    Logged In: YES
    user_id=80610
    Originator: NO

    Easy enough to fix. Will get that done tonight.

    My plan is to hardcode all values in the callback value used in the logut function. For example we certainly know what script is...

     
  • Chris Travers
    Chris Travers
    2006-11-21

    • assigned_to: nobody --> einhverfr
     
  • Chris Travers
    Chris Travers
    2006-11-21

    Logged In: YES
    user_id=80610
    Originator: NO

    I believe I have this fixed. I will verify when I get back to where I have a working 1.2 svn install.

     
  • Chris Travers
    Chris Travers
    2006-11-21

    • status: open --> closed
     
  • Chris Travers
    Chris Travers
    2006-11-21

    Logged In: YES
    user_id=80610
    Originator: NO

    Verified fixed. THere are some possible DoS issues that still need to be discussed, but the severe issues are taken care of.

     
  • Chris Travers
    Chris Travers
    2007-10-12

    Logged In: YES
    user_id=80610
    Originator: NO

    This was fixed in 1.1.5