Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Report a vulnerability that you have found to SecurityTracker
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
DCForum Messaging Board Lets Remote Users Gain Access to Other User Bulletin Board Accounts
|
Updated: Feb 2 2002
|
Original Entry Date: Feb 1 2002
|
Impact: Disclosure of authentication information, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): All packages downloaded before Jan 31, 2002, except for DCF99, 98, and 97, which do not include the password retrieval feature
|
Description: An access control vulnerability was reported in DCScript's DCForum messaging web board software. A remote user with an account on DCForum can gain access to any other user's account on DCForum.
It is reported that when a user requests a new password, the new password is generated for the requested user based on the first
6 characters of the current user's SessionID. That SessionID is stored in a cookie on the user's browser.
A remote user can
reportedly request a new password for a different user. The system will apparently generate a new password based on the requester's
SessionID and will send that information to the different (victim) user. The remote user can then determine the password based
on the remote user's current SessionID and can then log in as the other (victim) user.
|
Impact: A remote user with an account on DCForum can gain access to any other user's account on DCForum.
|
Solution: The vendor has released a patch, available at the Vendor URL and at:
http://www.dcscripts.com/bugtrac/DCForumID7/3.html
Or,
a user can replace the retrieve_password.pl script with the content available at:
http://www.dcscripts.com/FAQ/retrieve_password.txt
|
Vendor URL: www.dcscripts.com/bugtrac/DCForumID7/3.html (Links to External Site)
|
Cause: Access control error, Authentication error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (NT), Windows (2000)
|
Reported By: shimi <shimi@jct.ac.il>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 1 Feb 2002 14:15:44 +0200 (IST)
From: shimi <shimi@jct.ac.il>
Subject: Vulnerability in all versions of DCForum from dcscripts.com
|
When a user requests a new password for his account, a new password is
generated and sent to the requester (anyone that knows the username+email
information, which is usually available in "user profile").
The problem is that the password is simply the first 6 characters of the
user's SessionID, which is, of course, known to anybody who knows how to
see a value in a cookie.
Hence every user in the world can come to the board, request a new
password for someone, and then login with that username + 6 first
characters of the SessionID from the cookie.
The author has been notified (by me), and even released a patch, but, as
it appears, didn't bother saying that here, where most of the world will
be reading it, so I decided to do it myself.
Here's my post:
http://www.dcscripts.com/cgi-bin/dcforum/dcboard.cgi?az=read_count&om=1198&forum=dcfBug
And here's the patch:
http://www.dcscripts.com/bugtrac/DCForumID7/3.html
Best regards,
Shimi
----
"Outlook is a massive flaming horrid blatant security violation, which
also happens to be a mail reader."
"Sure UNIX is user friendly; it's just picky about who its friends are."
Sign that you downloaded Linux from a bad source:
"My compiler keeps hanging on NSABackdoor.h !!!"
|
|
Go to the Top of This SecurityTracker Archive Page
|
