lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 2 Nov 2003 12:49:25 +0300
From: "Alexander Antipov" <pk95@...dex.ru>
To: <full-disclosure@...ts.netsys.com>, <bugtraq@...urityfocus.com>
Cc: <info@...wizguide.info>
Subject: Unauthorized access in Web Wiz Forum


Unauthorized access in Web Wiz Forum

A vulnerability has found in  Web Wiz Forum (6.34, 7.01, 7.5). Remote user
(authenticated or not) can read message in private forum. Remote user can
post message in private forum.

Software does not compare message to forum, when "quote" mode is used. In
result, remote user (authenticated or not) can read and post message in
private forum, to which he hasn't access. Example:
User "A" has read and write access to Forum1 (FID=1) and no access to Forum2
(FID=2) and message with PID=1111 (in topic TID=11) belong to Forum2(FID=2).
User "A" has no access to topic TID=11 with message PID=1111. However, user
can use "quote" mode for message PID=1111 with Forum1 (FID=1) (instead of
FID=2) to read the private message and answer to it, when use follow URL:

http://webwizforum/post_message_form.asp?mode=quote&PID=1111&FID=1&TID=11&TPN=1
(instead of PID=1111&FID=2&TID=11&TPN=1)

thanks to Tecklord, Pharaoh and other moderator of
http://Forum.SecurityLab.ru


Sorry for my poor English


Solution:

-- begin snip post_message_form.asp ----
'If this is a quoted message read in the message to be quoted
If strMode = "quote" Then

        'Get the number this thread is after
        intTotalNumOfThreads = Request.QueryString("NOP")

        'Get the return thread page
        intRecordPositionPageNum = Request.QueryString("TPN")

---  bug fix by pharaoh ----
       strSQL = "SELECT " & strDbTable & "Topic.Subject FROM " & strDbTable
& "Topic "
        strSQL = strSQL & "WHERE " & strDbTable & "Topic.Forum_ID = " &
CLng(Request.QueryString("FID"))
        strSQL = strSQL & "AND " & strDbTable & "Topic.Topic_ID = " &
CLng(Request.QueryString("TID"))
        rsCommon.Open strSQL, adoCon
        If rsCommon.EOF Then
                rsCommon.Close
                Set rsCommon = Nothing
                Set adoCon = Nothing
                Set adoCon = Nothing
                Response.Redirect "insufficient_permission.asp"
        End If
        rsCommon.Close

        strSQL = "SELECT " & strDbTable & "Author.Author_ID, " & strDbTable
& "Author.Username, " & strDbTable & "Thread.Message "
        strSQL = strSQL & "FROM " & strDbTable & "Thread INNER JOIN " &
strDbTable & "Author ON " & strDbTable & "Thread.Author_ID = " & strDbTable
& "Author.Author_ID "
        strSQL = strSQL & "WHERE " & strDbTable & "Thread.Thread_ID = " &
CLng(Request.QueryString("PID"))
        strSQL = strSQL & "AND " & strDbTable & "Thread.Topic_ID = " &
CLng(Request.QueryString("TID"))

        rsCommon.Open strSQL, adoCon
        If rsCommon.EOF Then
                rsCommon.Close
                Set rsCommon = Nothing
                Set adoCon = Nothing
                Set adoCon = Nothing
                Response.Redirect "insufficient_permission.asp"
        End If
---  bug fix by pharaoh ----
-- end snip post_message_form.asp ----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists