Authentix is a Windows-based product that offers either cookie/form-based authentication or a cookie-free "Basic Authentication" while keeping NT Users Names and Passwords private. It protects all files, not just ASP pages. It can validate against an internal database, a text file or an external ODBC data source, and it requires Windows NT or Windows 2000 with IIS.
A security hole in the product allows viewing of "secured files" even without the right permission settings.
Credit:
The information has been provided by Lisa Saarloos.
Vulnerable systems:
Authentix versions prior to version 5.3
By using special characters in the URL it is possible to bypass the authentication mechanism of Authentix100, under certain circumstances. This allows arbitrary users to view information that they shouldn't.
Patch availability:
Knowing the importance that Authentix100 plays in authentication methods, Flicks Software has released version 5.3 of Authentix100.
All users of Authentix100 are strongly encouraged to upgrade to the latest version of Authentix100 at: http://www.flicks.com/authentix100
This upgrade, similar to the cost of the original product, is FREE.
Exploit:
Normally, after logging in, and after being redirected to your part of the site, the URL looks like this:
