ajaypal.com

A mohali based company http://www.cyberix.in/ has an otherwise good Internet Management Software Product by the name Cyberix, is vulnerable to a very simple authentication bypass vulnerability (rather it is more of a software design issue).

Cyberix IMS when authenticating a user using, the web login via a popup window, sends the MD5 hash of the users password in the GET request. As all URLs, along with the GET variables and their values, are saved in the browser's history, thus any user who has access to the system, used by a previous user, can simply check the browser history and click on the login URL to login as the other user, without providing any password. Defeating the purpose of an IMS where different users may have different access levels as promised by Cyberix IMS.

The login URL would be of the following format

http://[IP of Cyberix server]/web_based/sample.php?user=[username]&passwd=[MD5 hash of password]

The login prompt page uses javascript MD5 function to encrypt the plain text password before sending it in the HTTP GET request.

In organisation where system are shared, or otherwise are accessible to multiple persons this authentication bypass is very easy to accomplish. Check history and you are logged in.