lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 1 Sep 2013 20:37:53 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>,
 "1337 Exploit DataBase" <mr.inj3ct0r@...il.com>
Subject: Insufficient Authorization vulnerability in Act

Hello list!

This is Insufficient Authorization vulnerability in Act. It is conference
software on Perl.

Besides Insufficient Authorization, there are a lot of other vulnerabilities
in Act.

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of Act (they fixed this hole at July 27, 2013).
The developers don't use version numbers for their software.

-------------------------
Affected vendors:
-------------------------

Act - A Conference Toolkit
http://act.mongueurs.net

----------
Details:
----------

Insufficient Authorization (WASC-02):

http://site/edittalk?talk_id=1

Any authenticated user can edit arbitrary talks (by setting id). And also to
delete them (via edit function).

This vulnerability can be used to sabotage conference by deleting all talks.

------------
Timeline:
------------ 

2013.07.14 - informed organizers of YAPC::Europe 2013, on which site I've
found this and other holes. They ignored to fix this and all other holes at
their site (which they had for 10 years while use Act), arguing that
developers of Act should do that and they don't care about security of their
site.
2013.07.14 - informed Act developers. They hadn't answered.
2013.07.16 - announced at my site.
2013.07.27 - developers fixed this vulnerability (without answering and
thanking)
(https://github.com/book/Act/commit/e9c5257594f7eb69c4f935fb14fadb1bc79b46d7).
2013.08.29 - disclosed at my site (http://websecurity.com.ua/6657/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists