Microsoft Commerce Server 2002 authfiles/login.asp authentication bypass
| mscs-authfiles-authentication-bypass (25330) |  Medium Risk |
Description:
Microsoft Commerce Server could allow a remote attacker to bypass authentication and gain unauthorized access to the affected site using the sample ASP files in the authfiles directory. If the attacker has knowledge of a valid username, the attacker could bypass authentication by attempting to login to the authfiles/login.asp script twice using an invalid password. After the second login attempt, the attacker would be logged in as the valid user.
Platforms Affected:
- Microsoft, Commerce Server 2002 SP1
- Microsoft, Commerce Server 2002
Remedy:
Upgrade to Microsoft Commerce Server 2002 (SP2 or later), available from Microsoft's Web site. See References.
As a workaround, remove the authfiles directory from your Web site.
Consequences:
Bypass Security
References:
- BugTraq Mailing List, Thu Mar 16 2006 - 17:59:51 CST, Microsoft Commerce Server 2002: Logon as known user with a false password at http://archives.neohapsis.com/archives/bugtraq/2006-03/0345.html.
- Microsoft Corporation Web site, Commerce Server 2002 Service Pack 2 (SP2) - English at http://www.microsoft.com/downloads/details.aspx?familyid=58e6d658-cc3e-4846-8ef7-264e6eeb4c1e&displaylang=en.
- BID-17134: Microsoft Commerce Server 2002 Authentication Bypass Vulnerability
- CVE-2006-1257: The sample files in the authfiles directory in Microsoft Commerce Server 2002 before SP2 allow remote attackers to bypass authentication by logging in to authfiles/login.asp with a valid username and any password, then going to the main site twice.
- OSVDB ID: 24121: Microsoft Commerce Server 2002 authfiles/login.asp Authentication Bypass
- SA9176: Microsoft Commerce Server Registry Permissions and Authentication Bypass
Reported:
Mar 16, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net