| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <429823F2.5020504@yahoo.com> Date: Sat May 28 08:55:36 2005 From: rapigator at yahoo.com (Rapigator) Subject: Invision Power Board 1.x and 2.x Privilege Escalation Vulnerability If an non-root admin goes to delete their own group, they are taken to a screen that says "*Move users in this group to..." in which they can select the root admin group and move themselves into it. actually, they can move all users in any group into the root admin group root admins have complete access to the database where regular admins do not. they can run their own queries directly though invisionboard's "SQL Toolbox" or download the database. only root admins can edit other root admins' accounts. This affects : Invision Power Services Invision Board 1.0 Invision Power Services Invision Board 1.0.1 Invision Power Services Invision Board 1.1.1 Invision Power Services Invision Board 1.1.2 Invision Power Services Invision Board 1.2 Invision Power Services Invision Board 1.3 Final Invision Power Services Invision Board 1.3 Invision Power Services Invision Board 1.3 Invision Power Services Invision Board 1.3.1 Final Invision Power Services Invision Board 2.0 PF2 Invision Power Services Invision Board 2.0 PF1 Invision Power Services Invision Board 2.0 PDR3 Invision Power Services Invision Board 2.0 Alpha 3 Invision Power Services Invision Board 2.0 Invision Power Services Invision Board 2.0.1 Invision Power Services Invision Board 2.0.2 Invision Power Services Invision Board 2.0.3 Invision Power Services Invision Board 2.0.4
Powered by blists - more mailing lists