pGina.Fork Authentication Bypass Vulnerability in HttpAuth Plugin via DNS Poisoning

A vulnerability allowing authentication bypass has been identified in the pGina.Fork software, specifically in versions through 3.9.9.12, when the HttpAuth plugin is active. This issue arises from the plugin's reliance on DNS TXT record queries to a hardcoded domain, 'pginaloginserver', for authentication validation. If an adversary can control the DNS response, they can manipulate the authentication process, redirecting plaintext credentials to a server under their control and potentially gaining unauthorized access to the system.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling attackers to gain unauthorized access to systems and capture plaintext credentials from users authenticating over the network. Additionally, it could lead to unauthorized administrative access on affected devices.

Reproduction

To reproduce this vulnerability, first ensure that pGina.Fork version 3.9.9.12 or earlier is installed and the HttpAuth plugin is enabled. Configure the plugin to use 'pginaloginserver' as the authentication server. Then, perform ARP poisoning to take over the DNS resolution for 'pginaloginserver', directing the application to a server controlled by the attacker. When a user attempts to authenticate, the application will query the manipulated DNS response, bypassing authentication and allowing access to the system.