IBM Support

PM58073: Simple Authentication Bypass Vulnerability Not Detected in ASE

 

APAR status

  • Closed as program error.

Error description

  • The customer is scanning a simple test site with ASE
He is manually able to bypass the login with this simple
manipulation of the username field changing the value to ' or
1=1--
When he runs ASE with the SQL Injection Authentication Bypass
tests there is evidence in the traffic log of many of these
types of tests being run on the user name and password field but
none of them bypass the login.  I do not see evidence of the
exact test that he is trying manually in the traffic logs.
I have made sure his configuration is ok - his recorded login is
fine, the user name and password fields are correctly identified


You can test this out with a scan of altoromutual.com
http://altoromutual.com/bank/login.aspx
If you configure a scan logging in as jsmith/demo1234 and
Authentication Bypass Using SQL Injection tests and SQL
Injection tests, there is no indication of the following type of
test being sent: ' or 1=1 --
on the user name field in the traffic logs
the post to http://altoromutual.com/bank/login.aspx is similar
to that of the customer's
It is this type of test ' or 1=1 -- that will create a
vulnerability in the customer's site

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:                                              *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Customer document showing how he is able to bypass the login
with ' or 1=1

    



Problem conclusion


    

  • RTC defect 36708 closed per Rob Calendino

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PM58073
    • 

  • Reported component name
    RATL APPSCAN EE
    • 

  • Reported component ID
    5724T5200
    • 

  • Reported release
    800
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2012-02-13
    • 

  • Closed date
    2012-06-25
    • 

  • Last modified date
    2012-06-25
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    RATL APPSCAN EE
    • 

  • Fixed component ID
    5724T5200
    • 



Applicable component levels


    

  • R800  PSN
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":null,"label":null},"Product":{"code":"SUPPORT","label":"IBM Worldwide Support"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"800","Edition":"","Line of Business":{"code":null,"label":null}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            08 September 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback