[8391] in bugtraq

home help back first fref pref prev next nref lref last post

Bug (Quirk?) w/Novell BorderManager

daemon@ATHENA.MIT.EDU (Robert MACDONALD)
Wed Nov 4 00:55:52 1998

Date: 	Tue, 3 Nov 1998 12:27:06 -0500
Reply-To: Robert MACDONALD <RMACDONALD@PERRIGO.COM>
From: Robert MACDONALD <RMACDONALD@PERRIGO.COM>
X-To:         novell@listserv.syr.edu, Netw4l@mail.otherwhen.com
To: BUGTRAQ@NETSPACE.ORG

This message is being posted to:
  BUGTRAQ@NETSPACE.ORG
  Netw4l@mail.otherwhen.com
  Novell@listserv.syr.edu

Problem:
-------------
While granting users permission to use BorderManager proxy
service, I noticed that the BorderManager snapin will grant
user access through the proxy system with a blank password, by
viewing the 'Proxy Authentication' tab and without attempting
to assign a password - even if you cancel, you still grant full
permission to use the proxy system.

Only those who run nwadmin with the BorderManager snapin will
be able to see the additional 3 BM tabs, including the above.

Discovery:
----------------
Under normal admin circumstances, you would load nwadmin with
the BorderManager snapin(only the Win95 version will handle the
snapin at this time?) Find the user object and go into details. Click
on the 'Proxy Authenication' tab and assign a password. This is
the password that you need to supply, along with the username
when the browser prompts you.

While adding users, I noticed that there wasn't any check box, etc
to activate the account, only the 'Allow user to change password'
and 'Force password change every...' check boxes and a change
password button. So I decided to just click cancel without making
any changes to see chat would happen.

When I ran the browser(both IE & Netscape) and was prompted for
username and password, I typed in the username and no password
and out I went :-o

Temporary Fix:
----------------------
If you have 'looked' at the Proxy Authenication tab, then change
password to some sort of garbage to 'deactivate' the proxy account.

This really isn't a fix, and you have to remember to do this, or you
open up a doorway to the world for those who you thought could
not get there. You still have logging(don't you?) to tell you who is
accessing thru the proxy server.

Any user can use anothers 'signon', since these signons/objects
are not tied together as one in NDS - BM v3.0 I'm told will change
this.

Conclusion:
------------------
I have spoken with Novell(Sept 30), who checked/verified this with
the developers and the answer I received was, we are aware of this,
and that is the way it was designed(yes these were their words!).

The snapin assumes that you are granting access when you view
the Proxy Authentication tab and if you don't assign a password,
then a blank will be assigned for you - Even If You Cancel! The
tech I spoke with said the developers weren't sure if this was
going to be changed in BorderManager v3.0 release.

Sorry for taking so long to report this.



Best of Luck!
Robert

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Robert P. MacDonald (rmacdonald@perrigo.com)
Systems, Network & Security Engineer
Perrigo Company, Allegan, Michigan

home help back first fref pref prev next nref lref last post