lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: bruce at webwizguide.info (Bruce Corkhill)
Subject: Re: Authentication flaw in Web Wiz forum

Yet again!! Alexander aka. Pig Killer and Michael have posted an incorrect 
security bug report without first fully testing there findings first.

The security flaw reported below is incorrect as they state that the user 
code stored in a cookie is not changed when the password for an account is 
changed, this is incorrect as the user code is changed often including when 
the user changes his/her password, unless the forum admin changes the 
password then the user code is not changed so the user doesn't have to log 
back in if they request a new password from the forum admin. This maybe be 
changed in the next version so even if the admin change a password the user 
code is updated.




At 21:20 02/03/2004, you wrote:

>Product:  Web Wiz forum 7.0-7.7a www.webwizforum.com
>
>Risk:          Medium
>
>Date:         02 March, 2004
>
>Autor:        Pig Killer and Michael ( www.SecurityLab.ru)
>
>
>
>When user log on forum, for his cookies identification forum using User_code
>value from tblAutor table from underlying database, which doesn't change
>with changing of password. As a result, when user change password, he can
>register in the forum using old cookies. As a result, if users cookies was
>compromised (for example by XSS), then even password changing will doesn't
>protect his account from unauthorized using.
>
>
>
>The forum also allows logged in user to change the password without entering
>the old one. Thus, having cookie, you can change the password without
>knowing the old one.


Powered by blists - more mailing lists