lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20031031215944.3041.qmail@sf-www1-symnsj.securityfocus.com>
Date: 31 Oct 2003 21:59:44 -0000
From: Virginity Security <advisory@...fiweb.de>
To: bugtraq@...urityfocus.com
Subject: Virginity Security Advisory 2003-002 : Tritanium Bulletin Board -
    Read and write from/to internal (protected) Threads




- - - --------------------------------------------------------------------
Virginity Security Advisory 2003-002
- - - --------------------------------------------------------------------
             DATE : 2003-10-31 22:59 GMT
             TYPE : remote
VERSIONS AFFECTED : <== Tritanium Bulletin Board 1.2.3 (http://www.tritanium-scripts.com/)
           AUTHOR : Virginity
- - - --------------------------------------------------------------------


Description:

I found a security bug in Tritanium Bulletin Board:
Normal Users can read the content of Threads to which they have no access rights!
(and can answer to it which may be a problem if the internal forum has the right to insert html code)

Author of the Software has been notified.

- - - --------------------------------------------------------------------


Example:

http://[target].com/[path]/index.php?faction=reply&thread_id=[ID OF THE THREAD TO READ]&forum_id=[ID OF FORUM]&sid=[your sid]

Shows the window where The Attacker can answer to the topic and below that a window with the content of the thread!!!
The Attacker can easily read all protected Threads since the thread_id is counted for every forum newly so just put from 1 on upwards :-)

- - - --------------------------------------------------------------------


Solution:
Hey sorry this time i had no time for a solution :-)

- - - --------------------------------------------------------------------

Powered by blists - more mailing lists