Microsoft BackOffice
Created 4/30/02
CVE 2002-0736
Impact
A remote attacker can bypass the logon page and gain access
to the BackOffice administration pages.
Background
Microsoft BackOffice comes with a web-based remote
Administrator application. Access to the Administrator
application is controlled by a logon page requiring a
login name and password.
The Problem
CVE 2002-0736
The portion of code which performs authentication to the
BackOffice administrative pages checks only that the
authentication type is defined. Therefore, a remote attacker
can gain access simply by specifying the authentication type
in the HTTP request headers, without supplying a login
name and password.
Microsoft BackOffice Web Administrator 4.0 and
4.5 are affected by this vulnerability if they are configured
to allow Basic authentication, and to allow access from hosts
other than localhost. Neither of these conditions are enabled
by default.
Resolution
Install patch Q316838.
Where can I read more about this?
This vulnerability was announced in Microsoft Knowledge Base article
Q316838
and in NGSSoftware Advisory #NISR17042002A.