[Full-Disclosure] Critical bug in Web Wiz Forum

From: Alexander (pk95_at_yandex.ru)
Date: 04/30/04

Next message: bugzilla_at_redhat.com: "[Full-Disclosure] [RHSA-2004:175-01] Updated utempter package fixes vulnerability"

Previous message: Slotto Corleone: "Re: [Full-Disclosure] H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <full-disclosure@lists.netsys.com>
Date: Fri, 30 Apr 2004 23:17:18 +0400

Hi all and Bruce!

Ctrlbrk found some critical bug in web wiz forum 7.$B'g(B (Including last
public version 7.7$B'Q(B).

1. SQL Injection in
pop_up_ip_blocking.asp, line 113

For each laryCheckedIPAddrID in Request.Form("chkDelete") $B"+(B not
sanitized

Must be

For each laryCheckedIPAddrID in Cint(Request.Form("chkDelete"))

In result, remote user may manipulate SQL query and access to any user
account (User_code in tblAuthor table). Forum also allows to change password
without knowledge old password.

2. Unauthorized access in pop_up_topic_admin.asp when update topic status:

Line 115: If blnAdmin = False Then blnModerator = isModerator(intForumID,
intGroupID) <-- blnModerator=false if user is not moderator and all!

Must be:
If blnAdmin = False Then blnModerator = isModerator(intForumID, intGroupID)
If blnAdmin = False AND blnModerator = False Then

Response.Write("<div align=""center"">")

Response.Write("<span class=""lgText"">" & strTxtAccessDenied & "</span><br
/><br /><br />")

Response.Write("</div>")
End If

In result, remote unauthorized user may manipulate Topic status - Change
name of topic, close topic, move topic ...

3. Unauthorized admin Topic in pop_up_ip_blocking.asp
Line 107: If blnAdmin = False Then blnModerator = isModerator(intForumID,
intGroupID)

Must be:
If blnAdmin = False AND blnModerator = False Then

Response.Write("<div align=""center"">")

Response.Write("<span class=""lgText"">" & strTxtAccessDenied & "</span><br
/><br /><br />")

Response.Write("</div>")
End If

In result, remote unauthorized user may block any IP address.

Pig Killer
www.SecurityLab.ru
www.Seclab.ru
www.Securityfocus.ru

Special thanks to Ctrlbrk

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: bugzilla_at_redhat.com: "[Full-Disclosure] [RHSA-2004:175-01] Updated utempter package fixes vulnerability"

Previous message: Slotto Corleone: "Re: [Full-Disclosure] H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]