Penetration Testing mailing list archives
Re: [PEN-TEST] HTML source code and authentication
From: "NetW3.COM Consulting" <netw3 () NETW3 COM>
Date: Mon, 18 Dec 2000 23:51:37 -0600
Tim, This HTML comes from a system called Ultra-Access by a company named Harland, which used to be Concentrex which used to be Ultradata (lots of buyouts taking place). Ultra-Access is an Internet banking system that runs on a customized NT Server with vendor-specific (non-MS) service packs. It runs IIS, but not IIS in the standard sense in that most of the usual exploits for IIS won't work on an Ultra-Access server since the directory structure and virtual mapping is different. The /scripts directory does not hold much at all except ibank.dll and one other dll for processing a Microsoft Money or Quicken type of data download. Therefore, the usual IIS issues probably won't do as much good on such a box. ibank.dll is the heart of all user transactions into the Ultra-Access system. Every type of transaction that the user performs on the system is sent as parameters to ibank.dll. In the older versions of this product, there was a problem in that the default setting did not properly screen the use of the "back" and "forward" buttons after a user logged out. The system uses per-session cookies and the session was not cleared. However, the company released some changes that customers could implement that would secure the process a good deal. The securifying process sometimes may cause problems for end users since the system gets harder to navigate in, especially if they are using Netscape. This information is based on my direct experience and may not hold true for other installations. I also found a DOS condition in the system, but it was *very* obscure. Of course, this has not stopped others. I actually did not report it to the company since it was so obscure, but perhaps I should revisit my decision since it looks like others are exploring the territory. I have more information about these systems, so please feel free to contact me privately. Curt Wilson At 01:12 PM 12/18/2000 -0600, you wrote:
Hi all, I must first appologize about my general ignorance of HTML, but I've been asked to look into this. I have a question regarding the source code of a web page that authenticates users. The snipit of source code from the web page in question is as follows: #<H2><font color=9771824>Member Sign On</font></H2> #<form name="signon" action="/scripts/ibank.dll" method=post> #<INPUT TYPE ="HIDDEN" NAME=Func VALUE="SignOn"> #<INPUT TYPE=HIDDEN NAME=Frames VALUE="150"> #<INPUT TYPE ="HIDDEN" NAME=homepath VALUE="cu3"> It leaves me wondering if the referenced ibank.dll file is some authentication program of some sort and if the availability of this information simply by clicking on 'view source' is a potential problem. Furthermore, is there a way to obscure this information if it is risk?
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | Curt R. Wilson * NetW3.COM Consulting www.netw3.com | | Internet Security, Networking, PC tech, WWW hosting | | Serving Southern Illinois locally and the world virtually | | netw3 () netw3 com 618-353-7418 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Current thread:
- [PEN-TEST] HTML source code and authentication Skinner, Tim L. (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Bennett Todd (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication c0ncept (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication NetW3.COM Consulting (Dec 19)
- <Possible follow-ups>
- Re: [PEN-TEST] HTML source code and authentication Adams, Gavin (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Yonatan Bokovza (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Chris Tobkin (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Martijn Prummel (Dec 19)