-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ppp-design found the following authentication bypass vulnerability in dnstools: Details - ------- Product: dnstools Affected Version: 2.0 beta 4 and maybe all versions before Immune Version: 2.0 beta 5 OS affected: Linux only Vendor-URL: http://www.dnstools.com Vendor-Status: informed, new version avaiable Security-Risk: very high Remote-Exploit: Yes Introduction - ------------ DNSTools is a comercial solution for dns configuration ($0 for personal use up to $800 for ISPs). This is what the vendor tells about dnstools: "DNSTools is a DNS configuration and DNS administration utility that eases the burden of network and system administrators by presenting all of their DNS data in an easy-to-use web interface and allowing them to modify that data quickly and easily. With a few simple clicks, you can modify a host name, add a new mail record, add a new DNS name server, delete an entire domain or add an alias or second IP address to an existing host. These are just a few examples of what DNSTools provides." Unfortunately the security concept is broken by design and can be easily bypassed. More details - ------------ The software uses two variables to save the users authentication status (normal user / administration). Unfortunately these variables are not initialized, so you can easily spoof your status. Proof-of-concept - ---------------- Just add "user_logged_in=true" and if you want to have administration privileges "user_dnstools_administrator=YES" to any url (just be sure you are not logged in, otherwise your submitted variable will be overwritten with the real value). Examples: http://www.example.com/dnstools.php?section=hosts&user_logged_in=true http://www.example.com/dnstools.php?section=security&user_logged_in=true &user_dnstools_administrator=YES Temporary-Fix - ------------- Initialize both variables with false at the beginning of dnstools.php Fix - --- Use at least version 2.0 beta 5. Security-Risk - ------------- A blackhat can easily manipulate DNS entries remotly without being authorized in any way. This often is the first step of a hacking scenario. Therefore we are rating the security risk to very high. Vendor status - ------------- The author reacted very fast and recommendable to our note. He needed about 48 hours for a new version which fixes the vulnerability. Disclaimer - ---------- All information that can be found in this advisory is believed to be true, but maybe it is not. ppp-design can not be held responsible for the use or missuse of this information. Redistribution of this text is only permitted if the text has not been altered and the original author ppp-design (http://www.ppp-design.de) is mentioned. This advisory can be found online: http://www.ppp-design.de/advisories.php - -- ppp-design http://www.ppp-design.de Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc Fingerprint: 5B02 0AD7 A176 3A4F CE22 745D 0D78 7B60 B3B5 451A -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE8y903DXh7YLO1RRoRAs4VAJ9HNyVi3Fz7U1eU9tk2efcrlZfcnACdEWCx rnGV/vCQNPwo1fRFsynOy1w= =ZPXl -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Mon Apr 29 2002 - 12:39:41 PDT