lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: pk95 at yandex.ru (Alexander)
Subject: Critical bug in Web Wiz Forum

Hi all and Bruce!

Ctrlbrk  found some critical bug in web wiz forum 7.? (Including last
public version 7.7?). 

1. SQL Injection in 
pop_up_ip_blocking.asp, line  113

  For each laryCheckedIPAddrID in Request.Form("chkDelete")  ? not
sanitized  

Must be 
 
For each laryCheckedIPAddrID in Cint(Request.Form("chkDelete"))

In result, remote user may manipulate SQL query and access to any user
account (User_code in tblAuthor table). Forum also allows to change password
without knowledge old password. 

2. Unauthorized access in pop_up_topic_admin.asp when update topic status:

Line 115: If blnAdmin = False Then blnModerator = isModerator(intForumID,
intGroupID) <-- blnModerator=false if user is not moderator and all! 

Must be:
If blnAdmin = False Then blnModerator = isModerator(intForumID, intGroupID)
If blnAdmin = False AND blnModerator = False Then 
 
Response.Write("<div align=""center"">") 

Response.Write("<span class=""lgText"">" & strTxtAccessDenied & "</span><br
/><br /><br />") 

Response.Write("</div>") 
End If

In result, remote unauthorized user may manipulate Topic status - Change
name of topic, close topic, move topic ...

3. Unauthorized admin Topic in  pop_up_ip_blocking.asp
Line 107: If blnAdmin = False Then blnModerator = isModerator(intForumID,
intGroupID) 

Must be:
If blnAdmin = False AND blnModerator = False Then 
 
Response.Write("<div align=""center"">") 

Response.Write("<span class=""lgText"">" & strTxtAccessDenied & "</span><br
/><br /><br />") 

Response.Write("</div>") 
End If

In result, remote unauthorized user may block any IP address.



Pig Killer
www.SecurityLab.ru
www.Seclab.ru
www.Securityfocus.ru


Special thanks to Ctrlbrk

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ