From: Dinis Cruz (dinis@ddplus.net)
Date: Thu Aug 12 2004 - 18:42:35 EDT
Quite common.
The other major mistake that most do is to rely on the Client's GUI to
enforce the 'security boundaries' of the client application (for example:
they rely on the fact that the user's GUI doesn't have the functionality to
change passwords (including the administrators), so if such a request is
made it must be from a valid source....)
But, the big question is: "what happens next?"
Are they going to tell their customers that their data could had been (or
was) compromised?
Dinis Cruz
.Net Security Consultant
DDPlus
> -----Original Message-----
> From: Brian Erdelyi [mailto:brian_erdelyi@yahoo.com]
> Sent: 12 August 2004 13:40
> To: pen-test@securityfocus.com
> Subject: Client/Server application that does not authenticate users
>
> I have recently discovered a client/server application
> where the server does not authenticate users prior to
> granting them access. Sadly, this even happens to be
> a financial application for equities trading (sales,
> trades, oferrings and order management) used by some
> very large firms.
>
> How common is it to find applications that don't
> authenticate users prior to granting access?
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail is new and improved - Check it out!
> http://promotions.yahoo.com/new_mail
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:58 EDT