[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAtJph+OJM/UO4pIQFHwu+PsKAAAAQAAAAzz0OAQpZrEWanbbpS4IRAgEAAAAA@yandex.ru>
From: pk95 at yandex.ru (Alexander)
Subject: Critical bug in Web Wiz Forum
Hi all and Bruce!
Ctrlbrk found some critical bug in web wiz forum 7.? (Including last
public version 7.7?).
1. SQL Injection in
pop_up_ip_blocking.asp, line 113
For each laryCheckedIPAddrID in Request.Form("chkDelete") ? not
sanitized
Must be
For each laryCheckedIPAddrID in Cint(Request.Form("chkDelete"))
In result, remote user may manipulate SQL query and access to any user
account (User_code in tblAuthor table). Forum also allows to change password
without knowledge old password.
2. Unauthorized access in pop_up_topic_admin.asp when update topic status:
Line 115: If blnAdmin = False Then blnModerator = isModerator(intForumID,
intGroupID) <-- blnModerator=false if user is not moderator and all!
Must be:
If blnAdmin = False Then blnModerator = isModerator(intForumID, intGroupID)
If blnAdmin = False AND blnModerator = False Then
Response.Write("<div align=""center"">")
Response.Write("<span class=""lgText"">" & strTxtAccessDenied & "</span><br
/><br /><br />")
Response.Write("</div>")
End If
In result, remote unauthorized user may manipulate Topic status - Change
name of topic, close topic, move topic ...
3. Unauthorized admin Topic in pop_up_ip_blocking.asp
Line 107: If blnAdmin = False Then blnModerator = isModerator(intForumID,
intGroupID)
Must be:
If blnAdmin = False AND blnModerator = False Then
Response.Write("<div align=""center"">")
Response.Write("<span class=""lgText"">" & strTxtAccessDenied & "</span><br
/><br /><br />")
Response.Write("</div>")
End If
In result, remote unauthorized user may block any IP address.
Pig Killer
www.SecurityLab.ru
www.Seclab.ru
www.Securityfocus.ru
Special thanks to Ctrlbrk
Powered by blists - more mailing lists