lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3FAD71AF.7000200@snosoft.com>
From: dotslash at snosoft.com (KF)
Subject: Unauthorized access in Web Wiz Forum

This is the same thing some chump tryed yelling at me for (also just 
happened to SCO's posts)... its caused by ccing bugtraq / full-disc / 
other mailing lists in the same message. When each list sends out the 
message to its members it also gets resent to FD.

If you want to go to multiple lists try sending mails one by one...


-KF

Alexander Antipov wrote:

>What's shit? I did not send this message again!
>
>--------------------------------
>
>Received: from NETSYS.COM ([199.201.233.10]:55737 "EHLO netsys.com"
>smtp-auth:
> <none> TLS-CIPHER: <none> TLS-PEER-CN1: <none>) by mail.yandex.ru
> with ESMTP id <S687718AbTKFWoQ>; Fri, 7 Nov 2003 01:44:16 +0300
>Received: from NETSYS.COM (localhost [127.0.0.1])
> by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id hA6LbcG06235;
> Thu, 6 Nov 2003 16:37:38 -0500 (EST)
>Received: from mail.suretel.net (mail1.suretel.net [69.8.3.246])
> by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id hA6LXI704437
> for <full-disclosure@...ts.netsys.com>; Thu, 6 Nov 2003 16:33:20 -0500
>(EST)
>Received: from mail pickup service by mail.suretel.net with Microsoft
>SMTPSVC;
>  Thu, 6 Nov 2003 15:32:18 -0600
>
>--------------------------------
>
>
>
>----- Original Message ----- 
>From: "Alexander Antipov" <pk95@...dex.ru>
>To: <full-disclosure@...ts.netsys.com>; <bugtraq@...urityfocus.com>
>Cc: <info@...wizguide.info>
>Sent: Sunday, November 02, 2003 12:49 PM
>Subject: [Full-Disclosure] Unauthorized access in Web Wiz Forum
>
>
>  
>
>>Unauthorized access in Web Wiz Forum
>>
>>A vulnerability has found in  Web Wiz Forum (6.34, 7.01, 7.5). Remote user
>>(authenticated or not) can read message in private forum. Remote user can
>>post message in private forum.
>>
>>Software does not compare message to forum, when "quote" mode is used. In
>>result, remote user (authenticated or not) can read and post message in
>>private forum, to which he hasn't access. Example:
>>User "A" has read and write access to Forum1 (FID=1) and no access to
>>    
>>
>Forum2
>  
>
>>(FID=2) and message with PID=1111 (in topic TID=11) belong to
>>    
>>
>Forum2(FID=2).
>  
>
>>User "A" has no access to topic TID=11 with message PID=1111. However,
>>    
>>
>user
>  
>
>>can use "quote" mode for message PID=1111 with Forum1 (FID=1) (instead of
>>FID=2) to read the private message and answer to it, when use follow URL:
>>
>>
>>    
>>
>http://webwizforum/post_message_form.asp?mode=quote&PID=1111&FID=1&TID=11&TPN=1
>  
>
>>(instead of PID=1111&FID=2&TID=11&TPN=1)
>>
>>thanks to Tecklord, Pharaoh and other moderator of
>>http://Forum.SecurityLab.ru
>>
>>
>>Sorry for my poor English
>>
>>
>>Solution:
>>
>>-- begin snip post_message_form.asp ----
>>'If this is a quoted message read in the message to be quoted
>>If strMode = "quote" Then
>>
>>        'Get the number this thread is after
>>        intTotalNumOfThreads = Request.QueryString("NOP")
>>
>>        'Get the return thread page
>>        intRecordPositionPageNum = Request.QueryString("TPN")
>>
>>---  bug fix by pharaoh ----
>>       strSQL = "SELECT " & strDbTable & "Topic.Subject FROM " &
>>    
>>
>strDbTable
>  
>
>>& "Topic "
>>        strSQL = strSQL & "WHERE " & strDbTable & "Topic.Forum_ID = " &
>>CLng(Request.QueryString("FID"))
>>        strSQL = strSQL & "AND " & strDbTable & "Topic.Topic_ID = " &
>>CLng(Request.QueryString("TID"))
>>        rsCommon.Open strSQL, adoCon
>>        If rsCommon.EOF Then
>>                rsCommon.Close
>>                Set rsCommon = Nothing
>>                Set adoCon = Nothing
>>                Set adoCon = Nothing
>>                Response.Redirect "insufficient_permission.asp"
>>        End If
>>        rsCommon.Close
>>
>>        strSQL = "SELECT " & strDbTable & "Author.Author_ID, " &
>>    
>>
>strDbTable
>  
>
>>& "Author.Username, " & strDbTable & "Thread.Message "
>>        strSQL = strSQL & "FROM " & strDbTable & "Thread INNER JOIN " &
>>strDbTable & "Author ON " & strDbTable & "Thread.Author_ID = " &
>>    
>>
>strDbTable
>  
>
>>& "Author.Author_ID "
>>        strSQL = strSQL & "WHERE " & strDbTable & "Thread.Thread_ID = " &
>>CLng(Request.QueryString("PID"))
>>        strSQL = strSQL & "AND " & strDbTable & "Thread.Topic_ID = " &
>>CLng(Request.QueryString("TID"))
>>
>>        rsCommon.Open strSQL, adoCon
>>        If rsCommon.EOF Then
>>                rsCommon.Close
>>                Set rsCommon = Nothing
>>                Set adoCon = Nothing
>>                Set adoCon = Nothing
>>                Response.Redirect "insufficient_permission.asp"
>>        End If
>>---  bug fix by pharaoh ----
>>-- end snip post_message_form.asp ----
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>>    
>>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>  
>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ