Liggat Authentication Fail
This post will be a disclosure on how to not design and implement a login processes.
Ligatt Security and Gregory Evans the main man behind Ligatt has come under quite a bit of flack recently for doing things like alegedly making threats to other researchers and also for alleged plagiarism .
While all of this Internal Security Industry bickering is beyond me and this post. I would not trust a company with protecting my data if they can’t even protect their own.
And with that said. / Month Of Full Disclosure item 3 = Ligatt Security and how not to write an Authentication Process.
Text Version Here
Ligat Security – Authentication Bypass
Vulnerability ID: Month Of Full Disclosure 3 = MOFD3
Vendor Tag Lines: Cyber Security is never an issue with LIGATT on your side
Vendor Notification: 05 August 2010
Public Disclosure: 05 August 2010
Vulnerability Type: Authentication Bypass
Status: Public Disclosure – Not Fixed, Vendor Alerted,
Awaiting Vendor Response
Risk level: High
Credit: Martin Hall – TheTestManager
If you visit the LocatePc page
in a normal browser you will be redirected to the login page.
However if you visit the same URL in a browser where Follow Redirects is turned off
then you will not be redirected and you will be able to use the LocatePC functionality.
Instructions Follow for Opera.
Click on Tools
Click on Preferences
Click on Advanced
Click on Network
Untick “Enable automatic redirection”
Click on OK
Now follow this URL
Show me where that PC is
Currently I’m not aware of any vendor-supplied patches or other solutions.
If you are aware of more recent information related to this issue please notify me at: firstname.lastname@example.org
Other Miscellany Information