Re: [PEN-TEST] HTML source code and authentication

["NetW3.COM Consulting" <netw3 () NETW3 COM>]

Tim,

This HTML comes from a system called Ultra-Access by a company
named Harland, which used to be Concentrex which used to be
Ultradata (lots of buyouts taking place). Ultra-Access is an
Internet banking system that runs on a customized NT Server
with vendor-specific (non-MS) service packs. It runs IIS,
but not IIS in the standard sense in that most of the usual
exploits for IIS won't work on an Ultra-Access server since
the directory structure and virtual mapping is different.
The /scripts directory does not hold much at all except
ibank.dll and one other dll for processing a Microsoft Money
or Quicken type of data download. Therefore, the usual
IIS issues probably won't do as much good on such a box.

ibank.dll is the heart of all user transactions into the
Ultra-Access system. Every type of transaction that the
user performs on the system is sent as parameters to
ibank.dll.

In the older versions of this product, there was a problem
in that the default setting did not properly screen the use
of the "back" and "forward" buttons after a user logged out.
The system uses per-session cookies and the session was not
cleared. However, the company released some changes that
customers could implement that would secure the process a good
deal. The securifying process sometimes may cause problems
for end users since the system gets harder to navigate in,
especially if they are using Netscape.

This information is based on my direct experience and may
not hold true for other installations.

I also found a DOS condition in the system, but it was
*very* obscure. Of course, this has not stopped others.
I actually did not report it to the company since it was
so obscure, but perhaps I should revisit my decision since
it looks like others are exploring the territory.

I have more information about these systems, so please
feel free to contact me privately.

Curt Wilson


At 01:12 PM 12/18/2000 -0600, you wrote:
> Hi all,
>
> I must first appologize about my general ignorance of HTML, but I've been
> asked to look into this.  I have a question regarding the source code of a
> web page that authenticates users.  The snipit of source code from the web
> page in question is as follows:
>
> #<H2><font color=9771824>Member Sign On</font></H2>
> #<form name="signon" action="/scripts/ibank.dll" method=post>
> #<INPUT TYPE ="HIDDEN" NAME=Func VALUE="SignOn">
> #<INPUT TYPE=HIDDEN NAME=Frames VALUE="150">
> #<INPUT TYPE ="HIDDEN" NAME=homepath VALUE="cu3">
>
> It leaves me wondering if the referenced ibank.dll file is some
> authentication program of some sort and if the availability of this
> information simply by clicking on 'view source' is a potential problem.
> Furthermore, is there a way to obscure this information if it is risk?


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
| Curt R. Wilson   *   NetW3.COM Consulting    www.netw3.com  |
|    Internet Security, Networking, PC tech,  WWW hosting     |
|  Serving Southern Illinois locally and the world virtually  |
|            netw3 () netw3 com     618-353-7418                 |
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=