A recent analysis on 30 websites that are built using Ektron CMS400.NET (a promising and rapidly growing Content Management system based on .NET) has revealed that 14 of them are vulnerable to ‘Default Password Attack’. I mean, hacker can get easy access to the workarea (admin panel) or membership access of those sites by just using the default username & password. On the other hand, the other 16 sites are found secured at least from this vulnerability.
What is this ‘Default Password’? Now-a-days it is a common practice in the software industry to create a default admin or user or test account during the installation of software packages. In some cases, during installation the software asks password(s) for that admin or user account but in other cases the provider just provides a list of admin/user/test accounts (username and password) in the product documentation. Basically those accounts are created by default when the application installed. An example will clear the issue. Can you remember ‘scott/tiger’? Yes, it has been a long period of time the world famous DBMS Oracle is using this default username/password for Oracle database. Similarly ‘sa’ was being used default username with no password in SQL Server.
I believe the reader already knew/understood what ‘Default Password Attack’ is. Attackers are constantly looking for easy and time effective way to get into a system’s admin panel. ‘Default Password Attack’ is probably the first and best choice for a hacker in such case. This is the most powerful attack I would say as because hackers need not to work hard to get into a system’s admin panel within a very short time. As it takes less time and effort every hacker try this at least if the product is usually shipped with default username/password.
Recently I have taken a list of websites from the Ektron’s Partner page (http://www.ektron.com/partners/) to see how many of them are vulnerable to this attack. By the way, ektron CMS ships with 4 default username and password with different role. Let’s acquaintance with them:
|
User Type |
Username |
Password |
Permission |
|
Administrator |
builtin |
builtin |
All |
|
Administrator |
admin |
admin |
All |
|
Standard user |
jedit |
jedit |
Basic (for example, add/edit content, manage library files etc.) |
|
Membership user |
jmember |
jmember |
Read only permission to private content |
The reason why I have chosen the ektron’s partner list is because it was easy for me to find out those sites which are built using ektron. Even I would not get the list from their site, Google is always there as your friend. Just searching with this, “inurl:cmslogin.aspx” should return at least some sites which are built with ektron because the default login page name of ektron CMS is either login.aspx or cmslogin.aspx, it depends on the version. Anyway, after getting the sites, first I tried to find out their login page. Most of the cases I was successful but in some cases (where the developers are smarter) I could not find the login page even. Then I just tried the 4 default username and password one after another and interestingly among the 30 websites that I have taken randomly for my test, 14 are vulnerable. That means I was able to login successful. This is horrible as because many well-known websites are in the list. I am giving the full list of my test but reader, please do not do any harm. I tried to communicate each of the sites owner but unfortunately none of them replied.
Default Password Works For:
http://www.freestyleinteractive.co.uk/cmslogin.aspx [Fixed]
http://www.cairnenergy.com/cmslogin.aspx
http://www.siaonline.org/cmslogin.aspx
http://www.hopkinschildrens.org/login.aspx
http://www.octa.net/login.aspx [Fixed]
http://www.itsmarta.com/login.aspx
http://www.teradata.com/t/login.aspx
http://www.gdit.com/WorkArea/login.aspx
http://www.psea.org/login.aspx
http://www.tea.state.tx.us/cmslogin.aspx
http://www.majesticathletic.com/login.aspx
http://www.iga.com/login.aspx
http://dioceseofbrooklyn.org/login.aspx
http://www.2020technologies.com/cmslogin.aspx
Default Password Does Not Work For:
http://www.advantagewm.co.uk/
http://www.standardlifeinvestments.com/
http://www.arrivabus.co.uk/login.aspx
http://www.ahla.com/cmslogin.aspx
http://www.whiteface.k12.tx.us/redesign2/cmslogin.aspx
http://www.bwpmlp.com/login.aspx
http://www.stateauto.com/login.aspx
http://www.doubleclick.com/login.aspx
https://www.palottery.state.pa.us/login.aspx
http://www.mdod.maryland.gov/cmslogin.aspx
http://www.rbc.org/WorkArea/login.aspx
https://www.moodyministries.net/login.aspx
http://www.boardmember.com/login.aspx
http://www.worldoil.com/login.aspx
http://www.stiefel.com/cmslogin.aspx
http://www.calendow.org/login.aspx
http://www.perrigo.com/login.aspx
However I would not blame ektron for this kind of vulnerability instead I would ask those developers who are developing using ektron. Did not you notice the Security Checklist that is clearly and boldly written in the very first page of their setup manual? It is strongly written there a basic security checklist which includes:
- Change Admin user password
- Change builtin user password
- Remove Sample users and Sample Membership Users
The stakeholders who use Ektron as a content management system in their valuable projects should be alert on this type of threat and take necessary steps as soon as possible.
your analysis is correct. sometimes, we also used same password for all the ektron sites we work for. i.e. common password across all sites so that we can remember easily. even that can be development or staging server; we need to change the admin password at the first time. even we can delete the jedit/jmember.
Thank you for highlighting the fact that we missed disabling the ‘jmember’ user on out website.
We’ve fixed the problem and would appreciate it if you can update your post to reflect this.
As this was a potential serious issue for us it would have been given a top priorty when we received your notification. Can you let me know how you attempted to inform us before publishing your findings?
Thanks for amending your post. I’d also like to point out that none of our clients sites are affected by this – as with most agencies, our primary focus is the client.
It’s just unfortunate (and embarrasing) that removing the ‘jmember’ user was overlooked for our company site.
Like Martin above, thanks for pointing this out. Again, it’s a little embarrasing that we missed deleting the jmember user on one of our client websites (which we’ve now done).
In our defence there are no membership functions on that particular site, but still… We’ve updated our release procedures accordingly.
N.
Very helpful post. At least I can see here that some people took care of their sites.
please cross octa.net off the list, i fixed it today.
I just don’t understand why you would post a blog about this, clearly letting anyone hack into the above websites, instead of letting the webmaster know. It sounds crude to me.
@Rachel
You are correct that it’s not fair to disclose vulnerability in public places before notifying the webmasters. Thanks for your comments.
I agree they hang low and are always feeling very juicy to the touch