SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Snitz Forums Vendors:   Snitz Communications
Snitz Forums Input Validation Flaw in 'password.asp' Lets Remote Users Reset the Passwords of Arbitrary Users
SecurityTracker Alert ID:  1007001
SecurityTracker URL:  http://securitytracker.com/id/1007001
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 16 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of authentication information, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 3.4.0.3
Description:   Some vulnerabilities were reported in Snitz Forums. A remote user can change an arbitrary user's password. A remote user can conduct cross-site scripting attacks.

JeiAr of Gulftech Computers & CSA Security Research reported two vulnerabilities.

It is reported that a remote user can sumbit a modified 'memberid' value to the 'password.asp' script to change the target user's password to an arbitrary value.

It also is reported that the 'search.asp' function does not filter HTML code from user-supplied search strings before displaying the code. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Snitz Forums software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://path/search.asp?Search="><script>alert()</script>

A remote user can use the stolen cookies to gain access to the target user's account.

The vendor has reportedly been notified.

Impact:   A remote user can change the password of target user to an arbitrary value.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Snitz Forums software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  forum.snitz.com/ (Links to External Site)
Cause:   Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple Vulnerabilities In Snitz Forums




Multiple Vulnerabilities In Snitz 3.4.0.3
-------------------------------------------
Versions Affected: 3.4.0.3 (current) / Others?
Vendor Notification: Informed
Vendor Website: http://www.snitz.com



Product Description 
-------------------------------------------
Snitz Forums is a full-featured UBB-style ASP 
discussion board application. New features in version 3.3: 
Complete Topic/Post Moderation, Topic Archiving, Subscribe 
to Board / Category / Forum / Topic, Improved unsubscribe, 
Short(er) urls, Category and Forum ordering, and Improved 
Members-page. And like always, upgrading of the database is 
done for you by the setupscript



search.asp Search Feature XSS Vulnerability
-------------------------------------------
Snitz search feature is vulnerable to XSS which
can aide an attacker in stealing cookies, and thus
compromising the account, as described below

http://path/search.asp?Search="><script>alert()</script>



Account Compromise Via Cookie Poisoning
-------------------------------------------
In order to steal another users identity, all an attacker 
needs to know is thier encrypted password. This is not
very hard to obtain using the XSS as described above, or
other methods. Once an attacker has this info, all they
have to do is login to thier normal account to get a valid
session id, close the browser, replace thier username and 
encrypted pass with that of the victim, and return to the 
site where they will be recognized as the victim.



password.asp Password Reset Vulnerability
-------------------------------------------
This is the most serious of the vulns, as it requries no
real effort and leaves the entire snitz forum open to attack.
All an attacker has to do is request a forgotten password, save
the password reset page offline,edit the member id to the desired
member id, and submit the form. The members password will then
be reset to that of the attackers choosing.



Credits
-------------------------------------------
Credits go to JeiAr of Gulftech Computers & 
CSA Security Rsearch http://www.gulftech.org

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC