Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Critical bug in Web Wiz Forum

from [Alexander] Network Security [Permanent Link]
Subject: [Full-Disclosure] Critical bug in Web Wiz Forum
Date: Fri, 30 Apr 2004 23:17:18 +0400 
Hi all and Bruce!

Ctrlbrk  found some critical bug in web wiz forum 7.х (Including last
public version 7.7а). 

1. SQL Injection in 
pop_up_ip_blocking.asp, line  113

  For each laryCheckedIPAddrID in Request.Form("chkDelete")  ← not
sanitized  

Must be 
 
For each laryCheckedIPAddrID in Cint(Request.Form("chkDelete"))

In result, remote user may manipulate SQL query and access to any user
account (User_code in tblAuthor table). Forum also allows to change password
without knowledge old password. 

2. Unauthorized access in pop_up_topic_admin.asp when update topic status:

Line 115: If blnAdmin = False Then blnModerator = isModerator(intForumID,
intGroupID) <-- blnModerator=false if user is not moderator and all! 

Must be:
If blnAdmin = False Then blnModerator = isModerator(intForumID, intGroupID)
If blnAdmin = False AND blnModerator = False Then 
 
Response.Write("<div align=""center"">") 

Response.Write("<span class=""lgText"">" & strTxtAccessDenied & "</span><br
/><br /><br />") 

Response.Write("</div>") 
End If

In result, remote unauthorized user may manipulate Topic status - Change
name of topic, close topic, move topic ...

3. Unauthorized admin Topic in  pop_up_ip_blocking.asp
Line 107: If blnAdmin = False Then blnModerator = isModerator(intForumID,
intGroupID) 

Must be:
If blnAdmin = False AND blnModerator = False Then 
 
Response.Write("<div align=""center"">") 

Response.Write("<span class=""lgText"">" & strTxtAccessDenied & "</span><br
/><br /><br />") 

Response.Write("</div>") 
End If

In result, remote unauthorized user may block any IP address.



Pig Killer
www.SecurityLab.ru
www.Seclab.ru
www.Securityfocus.ru


Special thanks to Ctrlbrk
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] Critical bug in Web Wiz Forum, Alexander <=
Previous by Date:  Re: [Full-Disclosure] H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security), Slotto Corleone
Next by Date:  Re: [Full-Disclosure] H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security), Slotto Corleone
Previous by Thread:  [Full-Disclosure] Encoding, Tyler, Grayling
Next by Thread:  [Full-Disclosure] [RHSA-2004:175-01] Updated utempter package fixes vulnerability, bugzilla
Indexes:  [Date] [Thread] [Top] [All Lists]