Forum Web Server Login Bypass

2003-09-16T08:08:32
ID OSVDB:2554
Type osvdb
Reporter OSVDB
Modified 2003-09-16T08:08:32

Description

Vulnerability Description

Minihttp Forum Web Server contains a flaw that allows a remote attacker to log in with Administrative privileges. The flaw is due to the software not adequately checking user input supplied to the password field. By logging in as the Admin and giving two quotes ("") as the password, the system will allow authentication.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Minihttp Forum Web Server contains a flaw that allows a remote attacker to log in with Administrative privileges. The flaw is due to the software not adequately checking user input supplied to the password field. By logging in as the Admin and giving two quotes ("") as the password, the system will allow authentication.

Manual Testing Notes

Login with the following credentials: Login: Admin Password: " or Password: ""

References:

Secunia Advisory ID:9738 Other Advisory URL: http://packetstormsecurity.nl/0309-exploits/minihttp.txt ISS X-Force ID: 13208 Generic Informational URL: http://www.securitytracker.com/alerts/2003/Sep/1007707.html Bugtraq ID: 8620