[Full-Disclosure] Re: Authentication flaw in Web Wiz forum

From: Bruce Corkhill (bruce_at_webwizguide.info)
Date: 03/02/04

  • Next message: narko tix: "Re: [Full-Disclosure] Smashing "XBoard 4.2.7(All versions)" For Fun & Profit.*Unpublish ed Local Stack Overflow Vulnerablity!" 
    To: "Alexander" <pk95@yandex.ru>
Date: Tue, 02 Mar 2004 21:36:09 +0000

    Yet again!! Alexander aka. Pig Killer and Michael have posted an incorrect
    security bug report without first fully testing there findings first.

    The security flaw reported below is incorrect as they state that the user
    code stored in a cookie is not changed when the password for an account is
    changed, this is incorrect as the user code is changed often including when
    the user changes his/her password, unless the forum admin changes the
    password then the user code is not changed so the user doesn't have to log
    back in if they request a new password from the forum admin. This maybe be
    changed in the next version so even if the admin change a password the user
    code is updated.

    At 21:20 02/03/2004, you wrote:

    >Product: Web Wiz forum 7.0-7.7a www.webwizforum.com
    >
    >Risk: Medium
    >
    >Date: 02 March, 2004
    >
    >Autor: Pig Killer and Michael ( www.SecurityLab.ru)
    >
    >
    >
    >When user log on forum, for his cookies identification forum using User_code
    >value from tblAutor table from underlying database, which doesn't change
    >with changing of password. As a result, when user change password, he can
    >register in the forum using old cookies. As a result, if users cookies was
    >compromised (for example by XSS), then even password changing will doesn't
    >protect his account from unauthorized using.
    >
    >
    >
    >The forum also allows logged in user to change the password without entering
    >the old one. Thus, having cookie, you can change the password without
    >knowing the old one.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: narko tix: "Re: [Full-Disclosure] Smashing "XBoard 4.2.7(All versions)" For Fun & Profit.*Unpublish ed Local Stack Overflow Vulnerablity!"

    Relevant Pages

    • [Full-Disclosure] Re: Authentication flaw in Web Wiz forum
      ... The user code is changed when changing the password using "user profile". ... Authentication flaw in Web Wiz forum ... > register in the forum using old cookies. ...
      (Full-Disclosure)
    • Fairly serious vulnerability in vBulletin 2.2.0
      ... tested on vBulletin version 2.2.0. ... I post some malicious html in a reply to a topic that allows HTML: ... cookies into the image source tag that points to a webserver on my machine, ... At first I thought this was useless since the forum uses a one-way ...
      (Bugtraq)
    • Re: how can this be ???
      ... incorrect - or are you stating that all posts in that forum are incorrectly ... Of course if the battery were defective, ... >>> Colin ... ...
      (microsoft.public.windowsxp.basics)
    • Re: [Full-Disclosure] Re: Authentication flaw in Web Wiz forum
      ... Alexander aka. Pig Killer and Michael have found there report ... to be incorrect and have tried to retract it but not fully with another ... So the security flaw mentioned by Alexander aka. Pig Killer and Michael is ... >> When user log on forum, for his cookies identification forum using ...
      (Full-Disclosure)
    • Re: Newsgroup vs web forum
      ... Google gives these values of postings: ... Apparently Forum started at April 2007. ... browser will let you reduce it to a readable size. ... read/not without cookies is technically moderately difficult, ...
      (rec.games.roguelike.angband)