Back Office Web Administration Authentication Bypass

NGSSoftware Insight Security Research Advisory

Name: Back Office Web Administration Authentication Bypass

Systems Affected: Microsoft’s Back Office Web Administrator 4.0, 4.5

Severity: Medium/High

Vendor URL:

Author: David Litchfield (

Date: 17th April 2002

Advisory number: #NISR17042002A

Advisory URL:

Issue: Attackers can bypass the logon page and access the Back Office Web Administrator


With the Microsoft Back Office suite of products comes a web based administration ASP based application

that runs on IIS. Normally, to use the administration pages a user must authenticate but NGSSoftware

have discovered that it is trivial to bypass this.


Each of the Back Office Web Administrator ASP pages checks to see if the user has been authenticated

but does this with the following snippet of code

If Request.ServerVariables(“auth_type”) = “” Then

Response.Status = “401 ACCESS DENIED”


End If

This is the only “authorization/authentication” performed. As such it’s trivial to bypass:


Host: hostname

Authorization: Basic



No credentials are required as, technically the auth_type envariable has been set, regardless of

whether a user name or password have been supplied.

Risk and Mitigating Factors

By default the Back Office Web Administrator is limited to the loopback address (

which means that it can be accessed remotely. However, it is not uncommon to change this to allow

for remote administration; tying the Administrator to the loopback address makes it somewhat useless.

Basic authentication also needs to be enabled which, again is not uncommon.

Fix Information

For those that match this criteria they are strongly urged to obtain the the patch from

Microsoft. Please see;en-us;Q316838

for mor details.

A check for this issue has also been added to Typhon II, NGSSoftware’s vulnerabilty

assessment scanner. For more information about Typhon, please see the NGSSite @

Call us before you need us.

Our experts will help you.

Get in touch
%d bloggers like this: