[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030616095113.14657.qmail@www.securityfocus.com>
Date: 16 Jun 2003 09:51:13 -0000
From: JeiAr <jeiar@...ms.com>
To: bugtraq@...urityfocus.com
Subject: Multiple Vulnerabilities In Snitz Forums
Multiple Vulnerabilities In Snitz 3.4.0.3
-------------------------------------------
Versions Affected: 3.4.0.3 (current) / Others?
Vendor Notification: Informed
Vendor Website: http://www.snitz.com
Product Description
-------------------------------------------
Snitz Forums is a full-featured UBB-style ASP
discussion board application. New features in version 3.3:
Complete Topic/Post Moderation, Topic Archiving, Subscribe
to Board / Category / Forum / Topic, Improved unsubscribe,
Short(er) urls, Category and Forum ordering, and Improved
Members-page. And like always, upgrading of the database is
done for you by the setupscript
search.asp Search Feature XSS Vulnerability
-------------------------------------------
Snitz search feature is vulnerable to XSS which
can aide an attacker in stealing cookies, and thus
compromising the account, as described below
http://path/search.asp?Search="><script>alert()</script>
Account Compromise Via Cookie Poisoning
-------------------------------------------
In order to steal another users identity, all an attacker
needs to know is thier encrypted password. This is not
very hard to obtain using the XSS as described above, or
other methods. Once an attacker has this info, all they
have to do is login to thier normal account to get a valid
session id, close the browser, replace thier username and
encrypted pass with that of the victim, and return to the
site where they will be recognized as the victim.
password.asp Password Reset Vulnerability
-------------------------------------------
This is the most serious of the vulns, as it requries no
real effort and leaves the entire snitz forum open to attack.
All an attacker has to do is request a forgotten password, save
the password reset page offline,edit the member id to the desired
member id, and submit the form. The members password will then
be reset to that of the attackers choosing.
Credits
-------------------------------------------
Credits go to JeiAr of Gulftech Computers &
CSA Security Rsearch http://www.gulftech.org
Powered by blists - more mailing lists