<<< Date Index >>>     <<< Thread Index >>>

What's Up Professional Spoofing Authentication Bypass



What's Up Professional 2006 is vulnerable to a spoofing attack whereby
the attacker can trick the application into thinking he/she is making a
request from the console (which is considered trusted). This attack will
allow the attacker to bypass the authentication mechanism of the
application and login without credentials.

The application believes that if it is passed the following headers in
an HTTP request, then it is a trusted request:
User-Agent: Ipswitch/1.0
User-Application: NmConsole

These headers can be easily spoofed. An easy way to accomplish the spoof
is to use a webproxy such as webscarab (see owasp.org).

I have put a more detailed text file here:
http://www.ftusecurity.com/pub/whatsup.public.pdf

I contacted IPSwitch. They said the issue would be fixed in the next
release. I followed up twice to find a status and did not receive a reply.

Since the release of some What's Up Professional vulnerabilities
recently -- see: http://www.securityfocus.com/archive/1/433808 -- I
decided to release this information. I've been burned in the past by
reporting vulnerabilities responsibly to vendors, someone else
irresponsibly discloses the issue publicly before the fix is released
and the company does not credit me with the initial report.

Sincerely,
Kenneth F. Belva, CISSP
http://www.ftusecurity.com