lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 31 Oct 2006 23:48:40 -0800 (PST)
From: Rapigator <rapigator@...oo.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Invision Power Board 2.1.7 debug mode
	vulnerability

Debug mode is a feature in IPB 2.0.0-2.1.7 that shows
all database queries for each forum page requested.

If Debug mode is turned on, it is possible for anyone
to request a forgotten password for an account, and
capture the validation key that is sent to the
account's email address. This allows an attacker to
change anyone's password without having access to the
email account.

Through debug mode, it is also possible to bypass
captcha protection used to block bot actions(such as
automated registration), and table names can also be
discovered.

Debug mode is turned off by default, yet there are no
security warnings regarding this feature. It is best
to keep it off at all times.


 
____________________________________________________________________________________
Everyone is raving about the all-new Yahoo! Mail 
(http://advision.webevents.yahoo.com/mailbeta/)

Download attachment "debug217.php" of type "application/x-php" (3275 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ