[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-Disclosure] Critical bug in Web Wiz Forum
From: "Alexander" <pk95 () yandex ! ru>
Date: 2004-04-30 19:17:18
Message-ID: !~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAtJph+OJM/UO4pIQFHwu+PsKAAAAQAAAAzz0OAQpZrEWanbbpS4IRAgEAAAAA () yandex ! ru
[Download RAW message or body]
Hi all and Bruce!
Ctrlbrk found some critical bug in web wiz forum 7.х (Including last
public version 7.7а).
1. SQL Injection in
pop_up_ip_blocking.asp, line 113
For each laryCheckedIPAddrID in Request.Form("chkDelete") ← not
sanitized
Must be
For each laryCheckedIPAddrID in Cint(Request.Form("chkDelete"))
In result, remote user may manipulate SQL query and access to any user
account (User_code in tblAuthor table). Forum also allows to change password
without knowledge old password.
2. Unauthorized access in pop_up_topic_admin.asp when update topic status:
Line 115: If blnAdmin = False Then blnModerator = isModerator(intForumID,
intGroupID) <-- blnModerator=false if user is not moderator and all!
Must be:
If blnAdmin = False Then blnModerator = isModerator(intForumID, intGroupID)
If blnAdmin = False AND blnModerator = False Then
Response.Write("<div align=""center"">")
Response.Write("<span class=""lgText"">" & strTxtAccessDenied & "</span><br
/><br /><br />")
Response.Write("</div>")
End If
In result, remote unauthorized user may manipulate Topic status - Change
name of topic, close topic, move topic ...
3. Unauthorized admin Topic in pop_up_ip_blocking.asp
Line 107: If blnAdmin = False Then blnModerator = isModerator(intForumID,
intGroupID)
Must be:
If blnAdmin = False AND blnModerator = False Then
Response.Write("<div align=""center"">")
Response.Write("<span class=""lgText"">" & strTxtAccessDenied & "</span><br
/><br /><br />")
Response.Write("</div>")
End If
In result, remote unauthorized user may block any IP address.
Pig Killer
www.SecurityLab.ru
www.Seclab.ru
www.Securityfocus.ru
Special thanks to Ctrlbrk
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic