lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041130203855.10112.qmail@www.securityfocus.com>
Date: 30 Nov 2004 20:38:55 -0000
From: Hillel Himovich <hll@...vision.net.il>
To: bugtraq@...urityfocus.com
Subject: Invision Power Board 'Allow auto login' setting override




This next Vulnerability was discovered by Keyboard_Criminal <matan.marciano at gmail.com>

IPB Has a setting that enables admins to disable members from auto-login to the forums
This can be easily bypassed using this next method:

1. Use the password reset form and enter there requested nickname.
2. When you get the email, follow the instructions.

After filling the form with the user id, the security code and the new password
you will auto login to the forms, and any attempt to come back to the forums will also result in an auto-login because user id and pass hash are saved in the cookies.

This method culd be used to save a uid\pass containing cookie that will allow auto login, thus enabling malicious users who have an admin password hash to 'Cookie Edit' the details in the cookie and auto-login under the admin account.

HLL and Keyboard_Criminal


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ