.. and most admins don't know
Updated! See below.
In my daytime job I am busy with some colleagues to put together a new website for the company we work for. An interesting job involving many exciting subjects like:
- XHTML & CSS
- C#, ASP.NET and the .NET Framework
- lots of OO and Patterns
- and the exciting Ektron cms400.NET content management system
We have had our share of struggles with this system. Getting it to work with our framework which involves talking to the web service side of the cms and finding that not all functionality from the server controls were available in the web service. On top of that we have found problems with the performance. In the mean time we have worked around these problems and are now in the finishing phases of the long running project.
Now what's with that back door?
Well, it sounds pretty harsh like accusing Ektron of some sort of crime, but that's not my point. The back door is mentioned in the manual (at page 27) and there is a warning for administrators there so any admin who reads his manuals thoroughly ..
(space left blank to count the entire two of them)
any admin who reads his manuals thoroughly can close that back door.
A quick Google around the world by two of my colleagues showed quite a few instances of the exciting Ektron cms400.NET with their login pages exposed.
Then it was simply trying the admin account with a password I will not disclose (you go and guess it) and they were in. That was simply too stupid. Every admin should at least have the brains to change the admin password.
For most of these sites the admin password was changed, but the second built in user account (you try to guess it again) was usually still wide open!
So, it's just stupid admins?
No, it's not stupid admins, they usually are not stupid. Those who didn't change the admin password can be rated stupid, but those who left the second user exposed are not. I blame Ektron for that.
I think it is quite normal to have an admin user account in a system and maybe they should force changing the password the first time the admin logs in to the system. But I do not understand why there is a second user account that there that is completely hidden in the user list so most admins will not even know of the existence unless they have read page 27 of the manual.
So, most of the companies and organizations that use the exciting Ektron cms400.NET are completely unaware of the vulnerability of their web sites. After finding that we could login we immediately logged out. Less friendly people could cause a lot of harm.
We are completely safe with our website. We have simply left out all the admin stuff from our website. We manage the content from within our safe network.
Advise to Ektron
Inform your users and leave out this second user account in your future releases.
Update [3 March 2006]
Eventhough this article has been brought to the attention of Ektron and some site owners that had their website completely open to anyone clever enough to find the open door, no action has been taken by neither Ektron nor site owners.
The Internet is a jungle but they think it is OK to leave the door open with a welcome math in front of it.
Update [13 March 2006]
Ektron has taken notice and is taking action, read this.