Bugtraq mailing list archives
Re: Vulnerability in all versions of DCForum from dcscripts.com
From: David Choi <dcscripts () yahoo com>
Date: Fri, 1 Feb 2002 10:39:54 -0800 (PST)
Let me add that this doesn't affect older versions of DCForum (DCF99, 98, 97) as those features do not include retrieving password feature. Thanks. David S. Choi DCScripts.com --- shimi <shimi () jct ac il> wrote:
When a user requests a new password for his account, a new password is generated and sent to the requester (anyone that knows the username+email information, which is usually available in "user profile"). The problem is that the password is simply the first 6 characters of the user's SessionID, which is, of course, known to anybody who knows how to see a value in a cookie. Hence every user in the world can come to the board, request a new password for someone, and then login with that username + 6 first characters of the SessionID from the cookie. The author has been notified (by me), and even released a patch, but, as it appears, didn't bother saying that here, where most of the world will be reading it, so I decided to do it myself. Here's my post:
http://www.dcscripts.com/cgi-bin/dcforum/dcboard.cgi?az=read_count&om=1198&forum=dcfBug
And here's the patch: http://www.dcscripts.com/bugtrac/DCForumID7/3.html Best regards, Shimi ---- "Outlook is a massive flaming horrid blatant security violation, which also happens to be a mail reader." "Sure UNIX is user friendly; it's just picky about who its friends are." Sign that you downloaded Linux from a bad source: "My compiler keeps hanging on NSABackdoor.h !!!"
__________________________________________________ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com
Current thread:
- Vulnerability in all versions of DCForum from dcscripts.com shimi (Feb 01)
- Re: Vulnerability in all versions of DCForum from dcscripts.com David Choi (Feb 01)