RE: Client/Server application that does not authenticate users

["Dinis Cruz" <dinis () ddplus net>]

Quite common.

The other major mistake that most do is to rely on the Client's GUI to
enforce the 'security boundaries' of the client application (for example:
they rely on the fact that the user's GUI doesn't have the functionality to
change passwords (including the administrators), so if such a request is
made it must be from a valid source....) 

But, the big question is: "what happens next?"

Are they going to tell their customers that their data could had been (or
was) compromised?

Dinis Cruz
.Net Security Consultant
DDPlus

> -----Original Message-----
> From: Brian Erdelyi [mailto:brian_erdelyi () yahoo com]
> Sent: 12 August 2004 13:40
> To: pen-test () securityfocus com
> Subject: Client/Server application that does not authenticate users
>
> I have recently discovered a client/server application
> where the server does not authenticate users prior to
> granting them access.  Sadly, this even happens to be
> a financial application for equities trading (sales,
> trades, oferrings and order management) used by some
> very large firms.
>
> How common is it to find applications that don't
> authenticate users prior to granting access?
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail is new and improved - Check it out!
> http://promotions.yahoo.com/new_mail