A recent analysis on 30 websites that are built using Ektron CMS400.NET (a promising and rapidly growing Content Management system based on .NET) has revealed that 14 of them are vulnerable to ‘Default Password Attack’. I mean, hacker can get easy access to the workarea (admin panel) or membership access of those sites by just using the default username & password. On the other hand, the other 16 sites are found secured at least from this vulnerability.
What is this ‘Default Password’? Now-a-days it is a common practice in the software industry to create a default admin or user or test account during the installation of software packages. In some cases, during installation the software asks password(s) for that admin or user account but in other cases the provider just provides a list of admin/user/test accounts (username and password) in the product documentation. Basically those accounts are created by default when the application installed. An example will clear the issue. Can you remember ‘scott/tiger’? Yes, it has been a long period of time the world famous DBMS Oracle is using this default username/password for Oracle database. Similarly ‘sa’ was being used default username with no password in SQL Server.
I believe the reader already knew/understood what ‘Default Password Attack’ is. Attackers are constantly looking for easy and time effective way to get into a system’s admin panel. ‘Default Password Attack’ is probably the first and best choice for a hacker in such case. This is the most powerful attack I would say as because hackers need not to work hard to get into a system’s admin panel within a very short time. As it takes less time and effort every hacker try this at least if the product is usually shipped with default username/password.
Recently I have taken a list of websites from the Ektron’s Partner page (http://www.ektron.com/partners/) to see how many of them are vulnerable to this attack. By the way, ektron CMS ships with 4 default username and password with different role. Let’s acquaintance with them:
|
User Type |
Username |
Password |
Permission |
|
Administrator |
builtin |
builtin |
All |
|
Administrator |
admin |
admin |
All |
|
Standard user |
jedit |
jedit |
Basic (for example, add/edit content, manage library files etc.) |
|
Membership user |
jmember |
jmember |
Read only permission to private content |
The reason why I have chosen the ektron’s partner list is because it was easy for me to find out those sites which are built using ektron. Even I would not get the list from their site, Google is always there as your friend. Just searching with this, “inurl:cmslogin.aspx” should return at least some sites which are built with ektron because the default login page name of ektron CMS is either login.aspx or cmslogin.aspx, it depends on the version. Anyway, after getting the sites, first I tried to find out their login page. Most of the cases I was successful but in some cases (where the developers are smarter) I could not find the login page even. Then I just tried the 4 default username and password one after another and interestingly among the 30 websites that I have taken randomly for my test, 14 are vulnerable. That means I was able to login successful. This is horrible as because many well-known websites are in the list. I am giving the full list of my test but reader, please do not do any harm. I tried to communicate each of the sites owner but unfortunately none of them replied.
Default Password Works For:
http://www.freestyleinteractive.co.uk/cmslogin.aspx [Fixed]
http://www.cairnenergy.com/cmslogin.aspx
http://www.siaonline.org/cmslogin.aspx
http://www.hopkinschildrens.org/login.aspx
http://www.octa.net/login.aspx [Fixed]
http://www.itsmarta.com/login.aspx
http://www.teradata.com/t/login.aspx
http://www.gdit.com/WorkArea/login.aspx
http://www.psea.org/login.aspx
http://www.tea.state.tx.us/cmslogin.aspx
http://www.majesticathletic.com/login.aspx
http://www.iga.com/login.aspx
http://dioceseofbrooklyn.org/login.aspx
http://www.2020technologies.com/cmslogin.aspx
Default Password Does Not Work For:
http://www.advantagewm.co.uk/
http://www.standardlifeinvestments.com/
http://www.arrivabus.co.uk/login.aspx
http://www.ahla.com/cmslogin.aspx
http://www.whiteface.k12.tx.us/redesign2/cmslogin.aspx
http://www.bwpmlp.com/login.aspx
http://www.stateauto.com/login.aspx
http://www.doubleclick.com/login.aspx
https://www.palottery.state.pa.us/login.aspx
http://www.mdod.maryland.gov/cmslogin.aspx
http://www.rbc.org/WorkArea/login.aspx
https://www.moodyministries.net/login.aspx
http://www.boardmember.com/login.aspx
http://www.worldoil.com/login.aspx
http://www.stiefel.com/cmslogin.aspx
http://www.calendow.org/login.aspx
http://www.perrigo.com/login.aspx
However I would not blame ektron for this kind of vulnerability instead I would ask those developers who are developing using ektron. Did not you notice the Security Checklist that is clearly and boldly written in the very first page of their setup manual? It is strongly written there a basic security checklist which includes:
- Change Admin user password
- Change builtin user password
- Remove Sample users and Sample Membership Users
The stakeholders who use Ektron as a content management system in their valuable projects should be alert on this type of threat and take necessary steps as soon as possible.