Full Disclosure – How not to write a Forms Authentication Process

The Test Manager

Liggat Authentication Fail

This post will be a disclosure on how to not design and implement a login processes.

Ligatt Security and Gregory Evans the main man behind Ligatt has come under quite a bit of flack recently for doing things like alegedly making threats to other researchers and also for alleged plagiarism .

While all of this Internal Security Industry bickering is beyond me and this post.  I would not trust a company with protecting my data if they can’t even protect their own.

And with that said.  / Month Of Full Disclosure item 3 = Ligatt Security and how not to write an Authentication Process.

Text Version Here

Ligat Security – Authentication Bypass
Vulnerability ID: Month Of Full Disclosure 3 = MOFD3
Product: LocatePC
Vendor: Ligatt Security Inc ( https://www.ligattsecurity.com)
Vendor Tag Lines: Cyber Security is never an issue with LIGATT on your side
Vendor Notification: 05 August 2010
Public Disclosure: 05 August 2010
Vulnerability Type: Authentication Bypass
Status: Public Disclosure – Not Fixed, Vendor Alerted,
Awaiting Vendor Response
Risk level: High
Credit: Martin Hall – TheTestManager
twitter = @thetestmanager
Vulnerability Details:
If you visit the LocatePc page
in a normal browser you will be redirected to the login page.
However if you visit the same URL in a browser where Follow Redirects is turned off
then you will not be redirected and you will be able to use the LocatePC functionality.
Instructions Follow for Opera.
Click on Tools
Click on Preferences
Click on Advanced
Click on Network
Untick “Enable automatic redirection”
Click on OK
Now follow this URL
Ligatt Authentication_ByPass

Ligatt Authentication_ByPass

Show me where that PC is

Show me where that PC is

Sample URL’s
Currently I’m not aware of any vendor-supplied patches or other solutions.
If you are aware of more recent information related to this issue please notify me at: martin@hb-help.com
Other Miscellany Information


Copyright © 2012 The Test Manager Blog All rights reserved. Theme by Laptop Geek.