Blahz-DNS: Authentication bypass vulnerability

2002-04-30T00:00:00
ID SECURITYVULNS:DOC:2863
Type securityvulns
Reporter Securityvulns
Modified 2002-04-30T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

ppp-design found the following authentication bypass vulnerability in Blahz-DNS:

Details


Product: Blahz-DNS Affected Version: 0.2 and maybe all versions before Immune Version: 0.25 OS affected: OS indipentend (php/mysql) Vendor-URL: http://blahzdns.sourceforge.net Vendor-Status: informed, new version avaiable Security-Risk: very high Remote-Exploit: Yes

Introduction


Blahz-DNS is PHP/MySQL based DNS (BIND 9) administration with support for primary and secondary zones, user authentication, User and Admin account types, and restricted access for user accounts to certain primary and secondary zones. Unfortunately the security concept is broken by design. One can easily access any page different to login.php without any proper password.

More details


The software is using a very poor security concept: The user is only asked for a valid user password combination at the login page. Access to any other page is granted without any password.

Proof-of-concept


At http://www.example.com/dostuff.php?action=modify_user a blackhat can change existing users (eg. changing passwords) or add new users without beeing authorized.

Temporary-Fix


Use apache's .htpasswd to temporary restrict access to blahzdns.

Fix


Use at least version 0.25.

Security-Risk


A blackhat can easily manipulate DNS entries remotly without being authorized in any way. This often is the first step of a hacking scenario. Therefore we are rating the security risk to very high.

Vendor status


The author has reacted very fast and published a new version in less than 12 hours. All users are encouraged to upgrade.

Disclaimer


All information that can be found in this advisory is believed to be true, but maybe it is not. ppp-design can not be held responsible for the use or missuse of this information. Redistribution of this text is only permitted if the text has not been altered and the original author ppp-design (http://www.ppp-design.de) is mentioned.

This advisory can be found online: http://www.ppp-design.de/advisories.php


ppp-design http://www.ppp-design.de Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc Fingerprint: 5B02 0AD7 A176 3A4F CE22 745D 0D78 7B60 B3B5 451A -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org

iD8DBQE8zGLIDXh7YLO1RRoRAt6jAKD/OWtKVFYPf43qf+bn7FkgO/aQNQCg+SZM evvtdioc+eCyDb6BljBbO50= =pJKo -----END PGP SIGNATURE-----