Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Help Groups for Snitz Forums 2000 Users
 Help: Authentication: NT
 NT Authentication, Admin Login, Security Issue?		  New Topic  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

mclek
New Member

Australia
50 Posts
Posted - 23 August 2001 :  20:32:22  Show Profile
I've posted a separate question (http://forum.snitz.com/forum/topic.asp?ARCHIVE=&TOPIC_ID=15712), asking why there is the need for a separate login to access admin functions.

I'm curious as to how you guys (who I presume are using NT authentication) handle administration?

I think I've noticed a potential security issue:
If you've got NT Authentication turned on, then of course you don't have the normal logon, and you don't have a concept of a password.

This is all fine, until you give one of your NT logons Admin rights. When you try to access the Admin functions you are prompted to login (Why this is needed, is the topic of my original post). Just typing the logon name of the NT user with Admin rights and NO PASSWORD will give you access, as the NT logon has no password associated with it.

This potentially mean that anyone can look on the member list, see which logon names have administrator rights, and access the admin functions via that logon name.

Kym.

Hal
Starting Member

2 Posts
Posted - 28 August 2001 :  10:24:15  Show Profile
quote:

I think I've noticed a potential security issue:
If you've got NT Authentication turned on, then of course you don't have the normal logon, and you don't have a concept of a password.


This is partially true. The situation is NT accounts do not have passwords associated with them in the SNITZ security database.

quote:

This is all fine, until you give one of your NT logons Admin rights. When you try to access the Admin functions you are prompted to login (Why this is needed, is the topic of my original post). Just typing the logon name of the NT user with Admin rights and NO PASSWORD will give you access, as the NT logon has no password associated with it.


Good Observation. I wanted to get rid of that intermediate page anyway.
in admin_login.asp right after the includes I added this code:

<% ' This short circuts the need for a seperate admin login.
if (mlev = 4) then
Session(strCookieURL & "Approval") = "15916941253"
response.redirect "admin_home.asp"
response.end
else
response.redirect "default.asp"
response.end
end if
%>

This says if the user is > level 4 just give them the cookie. If not- then then push them out.

It works for me with NTAuth.. it might need something else for others.
Go to Top of Page

mclek
New Member

Australia
50 Posts
Posted - 28 August 2001 :  22:01:31  Show Profile
Thanks for the reply Hal,

I'll try out your "short circuit" of the separate login.

I don't think the second login adds much to Snitz with DB authentication, but it just plain is a security risk with NT Authentication.

Catcha,
Kym.
Go to Top of Page

mclek
New Member

Australia
50 Posts
Posted - 29 August 2001 :  00:07:03  Show Profile
Hal,

I've put in your fix and it works a treat.
The only difference is I've wrapped it in a "if (strAuthType = "nt") then ... end if", so that it does the normal login if using DB Authentication.

I personally reckon this should be posted as an NT specific bug fix, since it fixes a security hole.

What do you think?

Catcha,
Kym.
Go to Top of Page

mclek
New Member

Australia
50 Posts
Posted - 29 August 2001 :  01:51:13  Show Profile
Ummm,

Let me take that back...

After examining quite a bit of code, I am now fairly convinced that a bug has been introduced at some point, and believe that the intention was always to bypass the second logon when NT authentication is used.

The NTUser function (in inc_functions.asp) is called when NT Authentication is on, and sets up the cookie information for the user.

It performs the following steps:
1. It searches for the member with M_USERNAME equal to the "userid" cookie set in the NTAuthenticate function.
2. It then sets the "Name" cookie to the retrieved M_NAME.
3. It then tries to obtain the M_LEVEL of the user (by calling the chkUser function).
4. If the value return from chkUser indicates they have admin rights (ie. =4), it sets the "Approval" cookie which allows access to the admin functions (which would mean bypassing the admin_login.asp screen).

The chkUser searches for a member with MEMBERS.<strDBNTSQLName> = the name passed in. In the case of NT Authentication, strDBNTSQLName is set (in config.asp) to "M_USERNAME".

The NTUser function calls chkUser as follows:

			mLev = cint(chkUser(Request.Cookies(strUniqueID & "User")("Name"), Request.Cookies(strUniqueID & "User")("Pword")))


The trouble is that the "Name" cookie used in the line above was set to the M_NAME field (in step 2 above), whereas the chkUser function searches on M_USERNAME.

The chkUser code of course finds no match and return a value of 0 (meaning Invalid Password).

The NTUser function should instead pass the userID to the chkUser function. This is achieved by changing line 1216:

			mLev = cint(chkUser(Request.Cookies(strUniqueID & "User")("Name"), Request.Cookies(strUniqueID & "User")("Pword")))


to:

			mLev = cint(chkUser(Session(strCookieURL & "userID"), Request.Cookies(strUniqueID & "User")("Pword")))


Kym.



Edited by - mclek on 29 August 2001 01:52:28
Go to Top of Page

mclek
New Member

Australia
50 Posts
Posted - 29 August 2001 :  02:06:30  Show Profile
I have posted a bug fix for this (http://forum.snitz.com/forum/topic.asp?ARCHIVE=&TOPIC_ID=16027).

Admin_login.asp still needs changes similar to the ones you suggested Hal. It doesn't need to set the approval cookie as the above fix will do that.

I have ended up with the following code:

<%
'## If NT Authentication is on just check if the user has admin 
'## rights.  If they don't have admin rights, push them back to 
'## the default screen.
if 	(strAuthType = "nt") then
	if (mlev = 4) then
		if Request("target") = "" then
			Response.Redirect "admin_home.asp"
		else
			Response.Redirect request("target")
		end if
		Response.End
	else
		Response.Redirect "default.asp"
		Response.End
	end if
end if
%>


Catcha,
Kym.



Edited by - mclek on 29 August 2001 02:54:47
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.09 seconds. Powered By: Snitz Forums 2000 Version 3.4.07