Title: Microsoft BackOffice Server Web Administration Authentication Bypass Vulnerability
Severity: HIGH
Description:
Microsoft BackOffice suite of products include a web based
administration ASP based application that runs on IIS. The BackOffice Web Administrator component of BackOffice Server contains a design flaw, which could allow for unauthorized users to bypass authentication.
This is achieved when submitting an HTTP request directly to services.asp (Boadmin/Backoffice/Services.asp). No credentials are required to enter the administration page, and such a request will bypass the login screen.
It should be noted that this issue only occurs if basic authentication is being used. In addition by default, the BackOffice Web Administrator is configured to accept connections only from the Localhost (127.0.0.1). However, it is likely that administrators have changed this setting in order to use the administration interface for remote access.
Affected Products:
- Microsoft BackOffice 4.0.0
- Microsoft BackOffice 4.5.0
References:
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
