'[Full-Disclosure] Critical bug in Web Wiz Forum'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-Disclosure] Critical bug in Web Wiz Forum
From:       "Alexander" <pk95 () yandex ! ru>
Date:       2004-04-30 19:17:18
Message-ID: !~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAtJph+OJM/UO4pIQFHwu+PsKAAAAQAAAAzz0OAQpZrEWanbbpS4IRAgEAAAAA () yandex ! ru
[Download RAW message or body]

Hi all and Bruce!

Ctrlbrk  found some critical bug in web wiz forum 7.х (Including last
public version 7.7а). 

1. SQL Injection in 
pop_up_ip_blocking.asp, line  113

  For each laryCheckedIPAddrID in Request.Form("chkDelete")  ← not
sanitized  

Must be 
 
For each laryCheckedIPAddrID in Cint(Request.Form("chkDelete"))

In result, remote user may manipulate SQL query and access to any user
account (User_code in tblAuthor table). Forum also allows to change password
without knowledge old password. 

2. Unauthorized access in pop_up_topic_admin.asp when update topic status:

Line 115: If blnAdmin = False Then blnModerator = isModerator(intForumID,
intGroupID) <-- blnModerator=false if user is not moderator and all! 

Must be:
If blnAdmin = False Then blnModerator = isModerator(intForumID, intGroupID)
If blnAdmin = False AND blnModerator = False Then 
 
Response.Write("<div align=""center"">") 

Response.Write("<span class=""lgText"">" & strTxtAccessDenied & "</span><br
/><br /><br />") 

Response.Write("</div>") 
End If

In result, remote unauthorized user may manipulate Topic status - Change
name of topic, close topic, move topic ...

3. Unauthorized admin Topic in  pop_up_ip_blocking.asp
Line 107: If blnAdmin = False Then blnModerator = isModerator(intForumID,
intGroupID) 

Must be:
If blnAdmin = False AND blnModerator = False Then 
 
Response.Write("<div align=""center"">") 

Response.Write("<span class=""lgText"">" & strTxtAccessDenied & "</span><br
/><br /><br />") 

Response.Write("</div>") 
End If

In result, remote unauthorized user may block any IP address.



Pig Killer
www.SecurityLab.ru
www.Seclab.ru
www.Securityfocus.ru


Special thanks to Ctrlbrk



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic