Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Specific Sites :: avista.htm

Altavista Free Internet Client - getting a password so you can logon without it HAC:



Vulnerability

    Altavista Free Internet

Affected

    Altavista Free Internet Client (Windows 95/98)

Description

    Plex  Inphiniti  found  following  in  Altavista's  Free  Internet
    Client.  Altavista  (the popular search  engine) has offered  free
    internet access for quite awhile now.  Using the MicroPortal  code
    they offer  a cost-free  (financially speaking,  although you have
    to trade  a portion  of your  desktop space  for their banner) way
    to access the  internet.  Many  other free internet  services have
    been shown to be gone around in ways to make the connection to  be
    a standard DUN connection.

    Altavista (using Microportal) uses Windows Dialup Networking.   It
    fills in the username (based  on your username when registering  -
    which become your email address ie. blah@altavista.com).  It  then
    proceeds to (on starting the Client) bring up this DUN connectoid,
    fills in  the password,  the local  access number,  then connects.
    Then  launches  the  banner  (taking  up  1/5th  of your screen on
    800x600) which then shows  advertisements and will disconnect  you
    if you don't click on a banner once an hour.

    An problem  with this  system is  that the  user can  simply click
    "Save  Password"  on  the  connectoid  created  by Altavista, then
    connect (with their client),  then disconnect.  Upon  checking the
    password field on  the connectoid the  password is then  there and
    all the user needs to do is to fill in the local access number  to
    connect without running the client at all.

Solution

    There could be  several ways to  solve this.   We will name  a few
    that come to  mind (there are  many others).   The client software
    itself could  (upon connecting)  send the  ip address  to a server
    which would then  verify itself with  the ip just  issued with the
    dialup  connection.  If  the  IP  was  not sent to the server, the
    dialup server would drop the connection.

    Another  viable  solution  would  be  to  have a server (after the
    dialup connection was made) issue a new dialup password that would
    agree with one set on the dialup server. So on the next connection
    the new password would be used.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH