lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: pk95 at yandex.ru (Alexander Antipov)
Subject: Unauthorized access in Web Wiz Forum

What's shit? I did not send this message again!

--------------------------------

Received: from NETSYS.COM ([199.201.233.10]:55737 "EHLO netsys.com"
smtp-auth:
 <none> TLS-CIPHER: <none> TLS-PEER-CN1: <none>) by mail.yandex.ru
 with ESMTP id <S687718AbTKFWoQ>; Fri, 7 Nov 2003 01:44:16 +0300
Received: from NETSYS.COM (localhost [127.0.0.1])
 by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id hA6LbcG06235;
 Thu, 6 Nov 2003 16:37:38 -0500 (EST)
Received: from mail.suretel.net (mail1.suretel.net [69.8.3.246])
 by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id hA6LXI704437
 for <full-disclosure@...ts.netsys.com>; Thu, 6 Nov 2003 16:33:20 -0500
(EST)
Received: from mail pickup service by mail.suretel.net with Microsoft
SMTPSVC;
  Thu, 6 Nov 2003 15:32:18 -0600

--------------------------------



----- Original Message ----- 
From: "Alexander Antipov" <pk95@...dex.ru>
To: <full-disclosure@...ts.netsys.com>; <bugtraq@...urityfocus.com>
Cc: <info@...wizguide.info>
Sent: Sunday, November 02, 2003 12:49 PM
Subject: [Full-Disclosure] Unauthorized access in Web Wiz Forum


> Unauthorized access in Web Wiz Forum
>
> A vulnerability has found in  Web Wiz Forum (6.34, 7.01, 7.5). Remote user
> (authenticated or not) can read message in private forum. Remote user can
> post message in private forum.
>
> Software does not compare message to forum, when "quote" mode is used. In
> result, remote user (authenticated or not) can read and post message in
> private forum, to which he hasn't access. Example:
> User "A" has read and write access to Forum1 (FID=1) and no access to
Forum2
> (FID=2) and message with PID=1111 (in topic TID=11) belong to
Forum2(FID=2).
> User "A" has no access to topic TID=11 with message PID=1111. However,
user
> can use "quote" mode for message PID=1111 with Forum1 (FID=1) (instead of
> FID=2) to read the private message and answer to it, when use follow URL:
>
>
http://webwizforum/post_message_form.asp?mode=quote&PID=1111&FID=1&TID=11&TPN=1
> (instead of PID=1111&FID=2&TID=11&TPN=1)
>
> thanks to Tecklord, Pharaoh and other moderator of
> http://Forum.SecurityLab.ru
>
>
> Sorry for my poor English
>
>
> Solution:
>
> -- begin snip post_message_form.asp ----
> 'If this is a quoted message read in the message to be quoted
> If strMode = "quote" Then
>
>         'Get the number this thread is after
>         intTotalNumOfThreads = Request.QueryString("NOP")
>
>         'Get the return thread page
>         intRecordPositionPageNum = Request.QueryString("TPN")
>
> ---  bug fix by pharaoh ----
>        strSQL = "SELECT " & strDbTable & "Topic.Subject FROM " &
strDbTable
> & "Topic "
>         strSQL = strSQL & "WHERE " & strDbTable & "Topic.Forum_ID = " &
> CLng(Request.QueryString("FID"))
>         strSQL = strSQL & "AND " & strDbTable & "Topic.Topic_ID = " &
> CLng(Request.QueryString("TID"))
>         rsCommon.Open strSQL, adoCon
>         If rsCommon.EOF Then
>                 rsCommon.Close
>                 Set rsCommon = Nothing
>                 Set adoCon = Nothing
>                 Set adoCon = Nothing
>                 Response.Redirect "insufficient_permission.asp"
>         End If
>         rsCommon.Close
>
>         strSQL = "SELECT " & strDbTable & "Author.Author_ID, " &
strDbTable
> & "Author.Username, " & strDbTable & "Thread.Message "
>         strSQL = strSQL & "FROM " & strDbTable & "Thread INNER JOIN " &
> strDbTable & "Author ON " & strDbTable & "Thread.Author_ID = " &
strDbTable
> & "Author.Author_ID "
>         strSQL = strSQL & "WHERE " & strDbTable & "Thread.Thread_ID = " &
> CLng(Request.QueryString("PID"))
>         strSQL = strSQL & "AND " & strDbTable & "Thread.Topic_ID = " &
> CLng(Request.QueryString("TID"))
>
>         rsCommon.Open strSQL, adoCon
>         If rsCommon.EOF Then
>                 rsCommon.Close
>                 Set rsCommon = Nothing
>                 Set adoCon = Nothing
>                 Set adoCon = Nothing
>                 Response.Redirect "insufficient_permission.asp"
>         End If
> ---  bug fix by pharaoh ----
> -- end snip post_message_form.asp ----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>


Powered by blists - more mailing lists