IBuySpy Portal and Portal Starter Kit Security Issue


Yesterday we became aware of a security vulnerability in two of our sample applications: the IBuySpy Portal and the Portal Starter Kit. We have temporarily removed the IBuySpy Portal sample download and are actively working on an update. An updated Portal Starer Kit sample (version 1.0b) is now available which fixes the problem for that sample.
This email provides the steps to immediately fix existing sites and mitigate the potential for a malicious attack.
Who is vulnerable?
-- Any version of the VB.NET IBuySpy Portal sample configured to use html forms authentication.
-- Any version of the VB.NET Portal Starter Kit sample configured to use html forms authentication
-- Older pre-ASP.NET V1 versions of the C# IBuySpy Portal sample (specifically for ASP.NET beta1 and beta2) configured to use html forms authentication.
This vulnerability does NOT effect:
-- The VB.NET version of the IBuySpy Portal sample configured to use Windows Authentication
-- The VB.NET version of the Portal Starter Kit sample configured to use Windows Authentication
-- The C# version of the IBuySpy Portal sample released for ASP.NET V1
-- The C# version of the Portal Starter Kit sample
-- The IBuySpy Store sample
-- The Community Starter Kit sample
-- The TimeTracker Starter Kit sample
-- The Report Starter Kit sample
-- The Store Starter Kit sample
Note that this problem is not an ASP.NET product vulnerability or a bug in the ASP.NET Forms Authentication feature. Rather it is a result of a bug in how the forms authentication feature was used in the VB.NET language versions of the IBuySpy Portal and Portal Starter Kit sample applications.
What is the vulnerability?
A malicious user can login as a portal sample administrator and exploit the site by:
-- Altering text and content on the site
-- Creating and Deleting portal users used with the sample's forms authentication system
-- Changing portal user passwords used with the sample's forms authentication system
-- Retrieving user IDs and passwords used with the sample's forms authentication system
The vulnerability specifically *does not* enable the following actions:
-- A hacker *cannot* take over the server (e.g. it does not allow hacker code to be executed on the server)
-- A hacker *cannot* access or compromise Windows usernames or passwords
-- A hacker *cannot* use the vulnerability to initiate a SQL injection attack
How to manually fix the vulnerability?
An updated version of the VB.NET Portal Starter Kit sample (version 1.0b) is now available for download. An updated version of the VB.NET IBuySpy Portal will be posted shortly. If you have an existing installation of the samples, you can immediately fix the problem by performing the following steps:
To fix the SDK VB.NET versions of IBuySpy Portal and the Portal Starter Kit:
1) Open up the admin\Register.aspx file with a text editor
2) Replace the following line of code in the RegisterBtn_Click handler:

If accountSystem.AddUser(Name.Text, Email.Text, Password.Text) Then
with:
If (accountSystem.AddUser(Name.Text, Email.Text, Password.Text) > -1) Then

3) Save the file
4) Log into your Portal site
5) Change your admin password
6) Optional: Instruct registered portal users to change their passwords
To fix the Visual Studio.NET VB.NET versions of IBuySpy Portal and the Portal Starter Kit:
1) Open up the Visual Studio Project found in the directory in which the application was installed.
2) Open the admin\Register.aspx page
3) Switch to the Code Behind view for the page
4) Replace the following line of code in the RegisterBtn_Click handler

If accountSystem.AddUser(Name.Text, Email.Text, Password.Text) Then
with:
If (accountSystem.AddUser(Name.Text, Email.Text, Password.Text) > -1) Then

5) Save the file
6) Rebuild the application (Ctrl-Shift-B)
7) Log into your Portal site
8) Change your admin password
9) Optional: Instruct registered portal users to change their passwords
To fix C# beta versions of the IBuySpy Portal please upgrade to the latest version of the IBuySpy portal.
We sincerely apologize for the inconvenience that this has caused -- please let me know if I can answer any questions,
- Scott
0
scottgu
6/7/2003 4:33:59 PM
asp.net.portal-starter-kit 2189 articles. 0 followers. Follow

1 Replies
1237 Views

Similar Articles

[PageSpeed] 2

Hello Scott,

that bug is a interesting feature to learn.
in the first case it is checked if an account.add process exists -without regard it's result.
in the corrected version in brackets only the return value of the internal .add process is valued-
and has to be successful ergo not ie more than -1 the default....
am i right ?
cheers
mekanoo-germany
0
mekanoo
5/21/2004 8:45:07 PM
Reply: