[ SOURCE: http://www.secureroot.com/security/advisories/9737037563.html ] Security advisory: Authentix100 Release Date: 1 november 2000 Vendor: Flicks Software (http://www.flicks.com) ** Product Description Authentix is a Windows-based product that offers cookie/form-based or 100% cookie-free "Basic Authentication" website protection while keeping NT Users Names and Passwords private. It protects all files, not just ASP pages. It can validate against an internal database, a text file or an external ODBC datasource. It requires Windows NT or Windows 2000 and IIS. More information on Authentix can be found on http://www.flicks.com/authentix100/ ** Versions affected All versions prior to version 5.3. To check your current version number, start Authentix from the Start Menu/Flicks Software, and look in the About box. ** Problem description By using special characters in the URL combined with some special circumstances it is possible to bypass the authentification mechanism of Authentix100, thus not receiving a login-prompt. This allows arbitrary users to view information that was not intented to be seen by them. ** Patch availability Knowing the importance that Authentix100 plays in authentification methods, Flicks Software has released version 5.3 of Authentix100. All users of Authentix100 are strongly encouraged to upgrade to the latest version of Authentix100 at http://www.flicks.com/authentix100 This upgrade, similar to the cost of the original product, is FREE. ** Technical support and contact Please direct ALL questions regarding this issue to Scott Gordon at scott@flicks.com. Emailing your questions will allow us to address your concerns in the fastest manner possible. ** Credits This bug was originally brought to the attention of Flicks Software by Lisa Saarloos. She would like to thank Flicks Software for there cooperation in resolving this issue and their prompt and kind response. Beheer Magnashop International beheer@magnashop.nl Zeestraat 78 2518 AD DEN HAAG The Netherlands +31 70 3604848