Example 1: Fooling a Password Change Function

The authors have encountered this logic flaw in a web application imple-

mented by a financial services company and also in the AOL AIM Enterprise

Gateway application.

The application implemented a password change function for end users. It

required the user to fill out fields for username, existing password, new pass-

word, and confirm new password.

There was also a password change function for use by administrators. This

allowed them to change the password of any user without the need to supply

the existing password. The two functions were implemented within the same

server-side script.

The client-side interface presented to users and administrators differed in one

respect — the administrator’s interface did not contain a field for an existing

password. When the server-side application processed a password change

request, it used the presence or absence of the existing password parameter to

indicate whether the request was from an administrator or an ordinary user. In

other words, it assumed that ordinary users would always supply an existing

password parameter.

The code responsible looked something like this:

String existingPassword = request.getParameter(“existingPassword”);

if (null == existingPassword)

{

trace(“Old password not supplied, must be an administrator”);

}

else

trace(“Verifying user’s old password”);

...