Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

DPEC Online Courseware

From: jwknight () CYBERLINK BC CA (Joel Knight)
Date: Fri, 15 Jan 1999 21:45:24 -0700

--BOKacYhQ+x31HxR3
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

DPEC's (www.dpec.com) Online Courseware has a nasty bug in it that allows
anyone to change anyone elses password without knowing what their current=
=20
password is. This is NOT limited to normal user accounts, but also to the
admin account(s).

When a user logs in for the first time, they are required to change their
password. User jblow goes to the main login page and enters his username
and password. The courseware sees that he is a new user and gives jblow
a second login screen asking him to verify his password; this is where the
problem is. The courseware puts the following tag into the verification
page: <INPUT TYPE=3D"hidden" NAME=3D"firstpass">. This tag basically tells =
the
courseware "its ok, change the current password to what the user enters
and allow them to login regardless of current password (if any)".

Further inspection of the verification page will find the actual password
stored in an <INPUT> tag with the TYPE=3D"hidden" attribute. Simply by
saving a copy of this verification page to your hard drive and making the
proper modifications, you can gain (administrator) access to the
courseware.

DPEC was notified back in Oct/Nov 1998 and basically said that there was
no other way that this password verification could take place.
I will not bore the Bugtraq readers with my rant on that subject :P

AFAIK, in DPEC's latest release, this problem has not been fixed.

--=20
 Joel Knight                                  jwknight () cyberlink bc ca

 PGP Key: hkp://keys.pgp.com/jwknight () cyberlink bc ca
 KeyID 2048/38C24864
 Fingerprint 6D7D 1E4F 728B ACDA 6557  F3EC 85BB BA7C 38C2 4864


--BOKacYhQ+x31HxR3
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
MessageID: 7kuQIOVxtz4hPx7Rs3SZQgSVHelGou2d

iQA/AwUBNqAZYYW7unw4wkhkEQJB5wCg2LoNg5M8aPoAVHr0KByHMDQqw0UAoPwo
rLva3xZkUcI7fUSGNXziElad
=a95K
-----END PGP SIGNATURE-----

--BOKacYhQ+x31HxR3--
Previous By Date Next
Previous By Thread Next

Current thread: