COMMAND
Authentix
SYSTEMS AFFECTED
Authentix all versions prior to version 5.3.
PROBLEM
Lisa Saarloos found following. Authentix is a Windows-based
product that offers cookie/form-based or 100% cookie-free "Basic
Authentication" website protection while keeping NT Users Names
and Passwords private. It protects all files, not just ASP pages.
It can validate against an internal database, a text file or an
external ODBC datasource. It requires Windows NT or Windows 2000
and IIS.
By using special characters in the URL combined with some special
circumstances it is possible to bypass the authentification
mechanism of Authentix100, thus not receiving a login-prompt.
This allows arbitrary users to view information that was not
intented to be seen by them.
So, Authentix provides a way to protect pages from unauthorized
views.. But by providing a specially formed URL you won't be
prompted for your username and password. Normally, after logging
in, and after being redirected to your part of the site, the URL
looks like this:
http://my.secured.server/protected-directory/filename.ext
By giving a URL in the form:
http://my.secured.server/protected-directory./filename.ext
(place a dot after the shieldeddirectory AND provide a direct
filename)
There's a good change you will be able to view the protected pages
anyway. In most cases a filename isn't that hard to guess
(index.html, default.htm, whatever), and with a little searching
and guessing the name of the protected-directory can be found in
the same way...
SOLUTION
Knowing the importance that Authentix100 plays in authentification
methods, Flicks Software has released version 5.3 of Authentix100.
All users of Authentix100 are strongly encouraged to upgrade to
the latest version of Authentix100 at
http://www.flicks.com/authentix100
This upgrade, similar to the cost of the original product, is FREE