Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker

Category:   Application (Forum/Board/Portal)  >   MegaBBS Vendors:   PD9 Software
MegaBBS Discloses Private Messages to Other Users
SecurityTracker Alert ID:  1015452
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 9 2006
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.1 and prior
Description:   Hamid Ebadi reported a vulnerability in MegaBBS. A remote user can read the private messages of other users.

A remote user can exploit a flaw in the 'send-private-message.asp' function to view private messages belonging to other users by modifying the 'replyid' value.

A demonstration exploit URL is provided:


Impact:   A remote user can view the private messages of another user.
Solution:   The vendor has issued a fix, available at:

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Date:  Sat, 7 Jan 2006 20:06:23 -0800 (PST)
Subject:  MegaBBS ASP Forum Software Vulnerabilities

MegaBBS ASP Forum Software Vulnerabilitie
A complete, fully featured ASP website system.
Includes an extremely powerful forum, calendars,
polls, and photo albums.
Best of all, it's completely free! Find out why
MegaBBS is one of the fastest growing ASP messaging
portals available today.

The information has been provided by Hamid Ebadi
(Hamid Network Security Team)
The original article can be found

Vulnerable Systems:
MegaBBS  2.1 and below

A bug in the send-private-message funcationality has
been discovered that may disclose other members
private messages. 

example :
you can change replyid value and read other users
messages (-: 

patch & advisory
and update "send-private-message.asp"


Yahoo! DSL  Something to write home about. 
Just $16.99/mo. or less. 

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, LLC