COMMAND
Online Courseware
SYSTEMS AFFECTED
Systems using DPEC's Online Courseware
PROBLEM
Joel Knight found following. DPEC's Online Courseware has a nasty
bug in it that allows anyone to change anyone elses password
without knowing what their current0 password is. This is NOT
limited to normal user accounts, but also to the admin account(s).
When a user logs in for the first time, they are required to
change their password. User jblow goes to the main login page and
enters his username and password. The courseware sees that he is
a new user and gives jblow a second login screen asking him to
verify his password; this is where the problem is. The courseware
puts the following tag into the verification page:
<INPUT TYPE="hidden" NAME="firstpass">
This tag basically tells the courseware "its ok, change the
current password to what the user enters and allow them to
login regardless of current password (if any)". Further
inspection of the verification page will find the actual password
stored in an <INPUT> tag with the TYPE="hidden" attribute. Simply
by saving a copy of this verification page to your hard drive and
making the proper modifications, you can gain (administrator)
access to the courseware.
SOLUTION
In DPEC's latest release, this problem has not been fixed.
Preventing unauthorized password changes:
1) Use anonymous ftp to connect to teach.dpec.com.
2) Switch to the /pub directory.
3) Select the appropriate patch file for your OS from the
following list:
aix_patch_990125.tar.gz
bsdi_patch_990125.tar.gz
digital_patch_990125.tar.gz
hp-ux_patch_990125.tar.gz
linux_patch_990125.tar.gz
nt_patch_990125.zip
solaris_patch_990125.tar.gz
4) Fetch the appropriate patch file using binary ftp.
5) Decompress and unpack the patch file.
6) Consult the readme.txt file for installation instructions.
This fix will be incorporated into future versions of the
courseware.