Re: [Full-Disclosure] Re: Authentication flaw in Web Wiz forum
From: Bruce Corkhill (bruce_at_webwizguide.info)
Date: 03/02/04
- Previous message: Alexander: "[Full-Disclosure] Authentication flaw in Web Wiz forum"
- In reply to: Alexander: "[Full-Disclosure] Re: Authentication flaw in Web Wiz forum"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Alexander" <pk95@yandex.ru> Date: Tue, 02 Mar 2004 22:18:15 +0000
Yet again!! Alexander aka. Pig Killer and Michael have found there report
to be incorrect and have tried to retract it but not fully with another
incorrect bug report.
The Forgotten Password feature requires the user to enter details about
themselves including user name, email address, etc. that they used when
registering. Only once this data is entered correctly is a new password
emailed to the users emails address.
So the security flaw mentioned by Alexander aka. Pig Killer and Michael is
incorrect as it is not applicable when using this feature.
If you are using Web Wiz Forums then please ignore all bug reports by
Alexander aka. Pig Killer and Michael as they are incorrect (and not for
the first time!!) so you do not need to worry or email the site for a new
version.
At 21:40 02/03/2004, you wrote:
>Hi all again!
>
>This bug works only when password changes using "Forgotten your password?"
>future.
>
>The user code is changed when changing the password using "user profile".
>
>Sorry for my mistake.
>
>
>----- Original Message -----
>From: "Alexander" <pk95@yandex.ru>
>To: <full-disclosure@lists.netsys.com>
>Cc: "Bruce Corkhill" <bruce@webwizguide.info>
>Sent: Wednesday, March 03, 2004 12:20 AM
>Subject: Authentication flaw in Web Wiz forum
>
>
> > Product: Web Wiz forum 7.0-7.7a www.webwizforum.com
> >
> > Risk: Medium
> >
> > Date: 02 March, 2004
> >
> > Autor: Pig Killer and Michael ( www.SecurityLab.ru)
> >
> >
> >
> > When user log on forum, for his cookies identification forum using
>User_code
> > value from tblAutor table from underlying database, which doesn't change
> > with changing of password. As a result, when user change password, he can
> > register in the forum using old cookies. As a result, if users cookies was
> > compromised (for example by XSS), then even password changing will doesn't
> > protect his account from unauthorized using.
> >
> >
> >
> > The forum also allows logged in user to change the password without
>entering
> > the old one. Thus, having cookie, you can change the password without
> > knowing the old one.
> >
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Alexander: "[Full-Disclosure] Authentication flaw in Web Wiz forum"
- In reply to: Alexander: "[Full-Disclosure] Re: Authentication flaw in Web Wiz forum"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
