Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Try our Premium Alert Service
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service

Category:   Application (Forum/Board/Portal)  >   Web Wiz Forums Vendors:   Web Wiz Guide
(Vendor Issues Fix) Re: Web Wiz Forums Discloses Private Messages to Remote Users
SecurityTracker Alert ID:  1008100
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 5 2003
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.34, 7.01, 7.5
Description:   A vulnerability was reported in Web Wiz Forums. A remote user can read and post messages in private forums on the target system.

It is reported that when the "quote" mode is invoked, the software does not properly check access permissions. A remote user can access messages in a private forum.

A remote user can change the forum ID value (FID) to a target forum ID to access messages in the target forum.

Impact:   A remote user can access messages from private forums.
Solution:   The vendor has issued a fixed version (7.51), available at:

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Nov 3 2003 Web Wiz Forums Discloses Private Messages to Remote Users

 Source Message Contents

Subject:  Re: Unauthorized access in Web Wiz Forum

In-Reply-To: <020a01c3a126$9b91aaf0$0bd3bdd5@pigkiller>

The following issue has been resolved with release 7.51 of Web Wiz Forums.

The updated version, 7.51, that has corrected this vulnerability can be downloaded from:-
>Unauthorized access in Web Wiz Forum
>A vulnerability has found in  Web Wiz Forum (6.34, 7.01, 7.5). Remote user
>(authenticated or not) can read message in private forum. Remote user can
>post message in private forum.
>Software does not compare message to forum, when "quote" mode is used. In
>result, remote user (authenticated or not) can read and post message in
>private forum, to which he hasn't access.
>thanks to Tecklord, Pharaoh and other moderator of


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2018, LLC