Penetration Testing mailing list archives
RE: Client/Server application that does not authenticate users
From: "Dinis Cruz" <dinis () ddplus net>
Date: Thu, 12 Aug 2004 23:42:35 +0100
Quite common. The other major mistake that most do is to rely on the Client's GUI to enforce the 'security boundaries' of the client application (for example: they rely on the fact that the user's GUI doesn't have the functionality to change passwords (including the administrators), so if such a request is made it must be from a valid source....) But, the big question is: "what happens next?" Are they going to tell their customers that their data could had been (or was) compromised? Dinis Cruz .Net Security Consultant DDPlus
-----Original Message----- From: Brian Erdelyi [mailto:brian_erdelyi () yahoo com] Sent: 12 August 2004 13:40 To: pen-test () securityfocus com Subject: Client/Server application that does not authenticate users I have recently discovered a client/server application where the server does not authenticate users prior to granting them access. Sadly, this even happens to be a financial application for equities trading (sales, trades, oferrings and order management) used by some very large firms. How common is it to find applications that don't authenticate users prior to granting access? __________________________________ Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! http://promotions.yahoo.com/new_mail
Current thread:
- Client/Server application that does not authenticate users Brian Erdelyi (Aug 12)
- RE: Client/Server application that does not authenticate users Dinis Cruz (Aug 16)
- <Possible follow-ups>
- RE: Client/Server application that does not authenticate users Brian Erdelyi (Aug 16)
- RE: Client/Server application that does not authenticate users Dinis Cruz (Aug 16)
- RE: Client/Server application that does not authenticate users Dinis Cruz (Aug 16)