Full Disclosure – How not to write a Forms Authentication Process

The Test Manager

Liggat Authentication Fail

This post will be a disclosure on how to not design and implement a login processes.

Ligatt Security and Gregory Evans the main man behind Ligatt has come under quite a bit of flack recently for doing things like alegedly making threats to other researchers and also for alleged plagiarism .

While all of this Internal Security Industry bickering is beyond me and this post.  I would not trust a company with protecting my data if they can’t even protect their own.

And with that said.  / Month Of Full Disclosure item 3 = Ligatt Security and how not to write an Authentication Process.

Text Version Here

Ligat Security – Authentication Bypass
————————————-
Vulnerability ID: Month Of Full Disclosure 3 = MOFD3
————————————
Product: LocatePC
————————————-
Vendor: Ligatt Security Inc ( https://www.ligattsecurity.com)
————————————-
Vendor Tag Lines: Cyber Security is never an issue with LIGATT on your side
————————————-
Vendor Notification: 05 August 2010
Public Disclosure: 05 August 2010
————————————-
Vulnerability Type: Authentication Bypass
————————————-
Status: Public Disclosure – Not Fixed, Vendor Alerted,
Awaiting Vendor Response
————————————-
Risk level: High
————————————-
Credit: Martin Hall – TheTestManager
twitter = @thetestmanager
————————————-
Vulnerability Details:
If you visit the LocatePc page
in a normal browser you will be redirected to the login page.
However if you visit the same URL in a browser where Follow Redirects is turned off
then you will not be redirected and you will be able to use the LocatePC functionality.
Instructions Follow for Opera.
Click on Tools
Click on Preferences
Click on Advanced
Click on Network
Untick “Enable automatic redirection”
Click on OK
Now follow this URL
Ligatt Authentication_ByPass

Ligatt Authentication_ByPass

Show me where that PC is

Show me where that PC is

————————————-
Sample URL’s
————————————-
Solution:
Currently I’m not aware of any vendor-supplied patches or other solutions.
If you are aware of more recent information related to this issue please notify me at: martin@hb-help.com
————————————-
Other Miscellany Information

Reply

Copyright © 2012 The Test Manager Blog All rights reserved. Theme by Laptop Geek.