Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-36664: Password Manger for IIS * User Manual * Version 1.0

Password Manager for IIS 2.0 has a cross-site scripting (XSS) vulnerability via the /isapi/PasswordManager.dll ResultURL parameter.

CVE
#xss#vulnerability#web#mac#windows#microsoft#sap

Year 2000 statement

Password Manager for IIS does not include any time or date oriented functionality or code. Thus, it can be safely assumed that the product itself will perform well in the year 2000 and above.

However, it is dependant on the operating system and web server it is running on. Please see the supplying vendors notices for their product’s year 2000 compliance. In the case of Password Manger for IIS, this is mainly Microsoft (which can be found at http://www.microsoft.com). Other vendor information might also apply, e. g. if you use a third party IP stack.

Installation

Password Manager for IIS is high performing tool using only minimal system resources. It also doesn’t require an extended installation process.

System Requirements

This product is compatible with all versions of Microsoft IIS. It supports Windows NT 4, Windows 2000, Windows 2003 and Windows XP.

Active Directory users please note: Password Manager for IIS does run without any problems on Windows 2000. Many users use it with great success in Active Directory environments. However, Password Manager uses NT domain API calls to change the password, so you need to refer to the short name to all objects and domains.

The Installation Process

Actual installation is very straightforward

  1. unzip the install set
  2. copy PasswordManager.dll (the ISAPI extension DLL) to any web directory on your IIS you like. Make sure, you have excute permissions inside IIS for this directory set (not only scripting!).
  3. copy the sample password change dialog and customize it according to your needs (or create your own from scratch).

The product does not perform or require any registry modifications.

Uninstallation

There is no need for any formal uninstallation process. Simply delete the ISAPI extension DLL (PasswordManager.dll) as well as any page you are using Password Manger for IIS on.

Usage

Password Manager for IIS is a standard ISAPI extension callable from any HTTP form. You can include it into your web site by creating a simple (or sophisticated ;-) ) web form with your favourite HTML editor (like Microsoft Frontpage or Macromedia DreamWeaver).

The “ACTION” tag of the html form must point to the PasswordManager.dll ISAPI extension. Be sure to specify the correct path to the DLL. This is depending on where you copied the DLL to and where your actual form resides. If ever in doubt, use a full name like: http://www.yourserver.com/yourdirectory/passwordmanger.dll. The form needs to include the following fields:

FieldName

Used for

LANGUAGE

Select language for response text generated by Password Manager for IIS. Supported values are “DE” for German, “BR” for Brazilian Portugese and “EN” for English. This field can be omitted and defaults to English.

DOMAIN

Name of the NT Domain that is to be used for password changes. Only users from this domain can change their password (if you have multiple domains, the users needs to enter the correct one or select it from a list box).

Please note: if you run Password Manager for IIS in a workgroup environmen, this parameter must hold the computer name, NOT the workgroup name!

This field is mandatory.

RESULTURL

The URL PasswordManager redirects to after it tried to change the password. This URL is called from within Password Manager. We recommend it to be a fully qualified name (e.g. starting with HTTP). This URL will be passed the outcome of the operation as parameter "state". It is up to the page residing at this URL to decode “state” and provide feedback to the user. The URL is called as follows:

RESULTURL?state=OperationStatus

See appendix for statuses.

Please note: unregistered versions of Password Manager will redirect after a 10 second delay only.

If this field is not specified, Password Manager provides a default status form.

USER

NT User name (without domain part) of the users who’s password needs to be changed.

OLDPWD

Old password

NEWPWD

New password

NEWPWDCONFIRM

Confirmation of new password. NEWPWD & NEWPWDCONFIRM need to be identical, otherwise password manager for IIS does not change the users’ password.

Sample

The following is a simple sample form. It assumes that PasswordManager is stored in a directory named “ISAPI” that is on the same directory level as the one the form is stored in. One example might be:

“<web-root>/forms” for the form’s html file and
“<web-root>/ISAPI” for the extension DLL

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Change Domain Password</title>
</head>
<body>
<p><strong><big>Change Domain Password</big></strong></p>
<form method="post" action="…/isapi/PasswordManager.dll">
<input type="hidden" name="Language" value="EN">
<input type="hidden" name="Domain" value="YOURNTDOMAIN">
<div align="left"><table border="0" cellpadding="0" cellspacing="0">
<tr>
<td><strong>User Name</strong></td>
<td><input type="text" name="User" size="20"></td>
</tr>
<tr>
<td><strong>Current Password</strong></td>
<td><input type="password" name="OldPwd" size="20"></td>
</tr>
<tr>
<td><strong>New Password</strong></td>
<td><input type="password" name="NewPwd" size="20"></td>
</tr>
<tr>
<td><strong>New Password Confirmation</strong></td>
<td><input type="password" name="NewPwdConfirm" size="20"></td>
</tr>
<tr>
<td><strong></strong></td>
<td><input type="submit" value="Change Password!">
<input type="reset">
</td>
</tr>
</table>
</div>
</form>
</body>
</html>

The example above is for a simple change password dialog with no customised result page. Inside the install set is a more complex sample.

These sample assumes that the sample-form.htm and MyResultPage.asp files are copied in a web root. There should be a directory named “isapi” in wich PasswordManger.dll resides. Sample-form.htm is basically the same sample as above, but references MyResultPage.asp as a customized result page. Once PasswordManager has done it’s actions, it calls this page with a parameter "state". MyResultPage.asp evaluates this “state” variable and displays an appropriate message. You are free to do whatever you want inside this result page.

Please note that the unregistered version of Password Manager has a delay of 10 seconds before redirecting to the result page. The registered version will immediately redirect.

Status Codes

The following status codes are used by Password Manager to indicate the outcome of the change password operation:

Code

Meaning

0

success (all others indicate failure)

5 or 53

PDC not found.
Most probable causes are:

  • Domain name misspelled
  • PDC actually down (powered off or otherwise offline)
  • If Password Manager for IIS is to be used in a Workgroup environment, Parameter DOMAIN must hold the computer name, NOT the workgroup name.
  • User restriction “Can’t change password” checked in user manager

86

Old Password incorrect

2245

New password is too short.

2221

Invalid Username. Most probably typo, user account does not exist.

4294967295

Fields “New Password” and “New Password Confirm” do not match.

Version History

This short history shall provide you with some background information about the versions available as well as their pros and cons.

1.0

This is the initial release.

1.1

Some minor bug fixes.

2.0

  • Fully compatible with Windows 2000 (tested with build 2072)
  • Error Reporting Improved (less “error xx occured”)
  • Portugese Language versions available
  • Paramter “RESULTURL” added. This allows to fully customize the whole change password process.

How to obtain Updates

Please visit our web site http://www.Adiscon.com for information about new and updated products. Registered users will receive notification of new versions via email. The registration is valid for the current major release as well as the next one (in this case 3.0).

License

Password Manager for IIS is distributed as Shareware. You are free to use the product for evaluation. However, if you feel comfortable with it and plan to use it for an extended period of time, you must register with Adiscon and pay the license fee.

We do not want to restrict the length of the evaluation period by some kind of software mechanism. However, we think an evaluation period of 1 month should be reasonable for all parties interested.

Please support further development by registering the product. There is a license fee per Windows NT system Password Manager for IIS is running on. You need only one license per machine, even if you run multiple virtual servers on a single machine or have multiple CPUs inside it.

For orders outside of Germany, the licnse fee is $US 89 (plus tax if applicable). EU residents with VAT identification number should state this number in order to get an tax exemption. If not stated, full VAT will be charged. All EU orders will be processed in Euro. US$ payment is available for international customers, only.

Please call for volume orders.

BBS sysops feel free to include the distribution set of this product in your library. Please be sure to include the full set (program & this documentation). Any questions can be directed at [email protected].

Are there any restrictions in the unregistered version?

Nope - we don’t like "crippleware". However, the unregistred version does identify itself as unregistered in its responses to password change requests. Based on experience we needed to introduced a slight delay whith the RESULTURL version - if we hadn’t done this, nobody would ever see the “unregistered” message. We think this is fair.

How to register

Registration is as simple as 1-2-3:

  1. Print out the following registration form
  2. Please fill it in. Remember to include number of licenses requested and payment information as well as your email id.
  3. Mail or fax the registration form to Adiscon.

We accept cash (bills please - and: no faxed ones, please ;-) ) as well as MasterCard/Eurocard or American Express cards. We also accept payment by check if - and only if - the following criteria is met:

If you are paying in US$, your check must be drawn on an US American bank and made payable to “Rainer Gerhards” (very important, do not make payable to Adiscon GmbH!).

We are currently working on secure online payment systems.

If you need an additional payment options, please contact us at [email protected] or the below given addresses. Please note that - for your security - we generally do not accept email registrations. We strongly encourage you never to transmit your credit card information in clear text over the Internet.

Direct your registrations to:

Adiscon GmbH
Franz-Marc Strasse 144
50374 Erftstadt
Germany

Fax: +49-9349-928820
email: [email protected]
Web: http://www.Adiscon.com

Due to German laws all credit card orders need to be processed in DEM. US$ payments will be converted to DEM according to current exchange rate. There might be a slight difference in the converted value due to exchange rate differences.

Registration / Order Form

Password Manager for IIS
Registration / Order

Company

Name

Address

Country

Phone

Fax

email

VAT registration number (EU residents only)

Nbr. of Licenses

Payment

o Cash o MasterCard o American Express o Check
o JCB o VISA

Price

Credit Card Information

Card Number: ____________________________________

Cardholder Name (as imprinted on card): ____________________________________

Expiration Date ____________________________________

Please be sure to specify your email address, number of licenses requested and payment information (fields in bold typeface).

Please sign below:

________________________________________________________
Date & Signature

and forward this form to

Adiscon GmbH
Paul-Klee-Str. 7
50374 Erftstadt
Germany

Fax: +49-2235-985032
Fax option for MasterCard orders, only.

Liability

Please use the evaluation period to check if Password Manager for IIS is suitable for you and your system environment. We encourage you to try the product in a test environment. We accept no liability for any damage during the evaluation period.

Liability for registered users is limited to the amount of the registration fee.

Copyrights

This documentation as well as the actual Password Manager for IIS product is copyrighted by Adiscon GmbH, Germany.

Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corp., Redmond, WA, USA.

Other Products of Interest

You might be interested in other fine system management tools from Adiscon. Be sure to have a look at our products at http://www.Adiscon.com.

Related news

Password Manager For IIS 2.0 Cross Site Scripting

Password Manager for IIS version 2.0 suffers from a cross site scripting vulnerability.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907