Instead of typical session tokens or cookies, it is verified on a per-request basis if the originating IP address has once successfully log…
Instead of typical session tokens or cookies, it is verified on a per-request basis if the originating IP address has once successfully logged in. As soon as an authentication request from a certain source IP is successful, the IP address is handled as authenticated. No other session information is stored. Therefore, it is possible to spoof the IP address of a logged-in user to gain access to the Access Manager web interface.
The product uses an IP address for authentication.
https://cwe.mitre.org/data/definitions/291.html →Open in CWE collection →This attack relies on the adversary using unexpected formats for representing IP addresses. Networked applications may expect network location information in a specific format, such as fully qualified domains names (FQDNs), URL, IP address, or IP Address ranges. If the location information is not validated against a variety of different possible encodings and formats, the adversary can use an alternate format to bypass application access control.
https://capec.mitre.org/data/definitions/4.html →Open in CAPEC collection →