Bugtraq mailing list archives
Re: Ecardis Password Reseting Vulnerability
From: Trish Lynch <trish () bsdunix net>
Date: 3 Mar 2003 17:37:05 -0000
In-Reply-To: <20030227071424.25278.qmail () www securityfocus com>
Received: (qmail 11401 invoked from network); 27 Feb
2003 16:13:51 -0000
Received: from outgoing2.securityfocus.com (HELO
outgoing.securityfocus.com) (205.206.231.26)
by mail.securityfocus.com with SMTP; 27 Feb 2003
16:13:51 -0000
Received: from lists.securityfocus.com
(lists.securityfocus.com [205.206.231.19])
by outgoing.securityfocus.com (Postfix) with QMQP
id EE0608F2AB; Thu, 27 Feb 2003 08:46:22 -0700 (MST)
Mailing-List: contact bugtraq-help () securityfocus com;
run by ezmlm
Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq () securityfocus com> List-Help: <mailto:bugtraq-help () securityfocus com> List-Unsubscribe:
<mailto:bugtraq-unsubscribe () securityfocus com>
List-Subscribe:
<mailto:bugtraq-subscribe () securityfocus com>
Delivered-To: mailing list bugtraq () securityfocus com Delivered-To: moderator for bugtraq () securityfocus com Received: (qmail 26239 invoked from network); 27 Feb
2003 07:19:07 -0000
Date: 27 Feb 2003 07:14:24 -0000 Message-ID:
<20030227071424.25278.qmail () www securityfocus com>
Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) From: Haluk AYDIN <haydin () biznet com tr> To: bugtraq () securityfocus com Subject: Ecardis Password Reseting Vulnerability Hi, I don't know if someone has discovered this before but
Ecartis 1.0.0
(former listar) contains a vulnerability that enables
an attacker to reset
passwords of any user defined on the list server,
including the list
admins. After logging on as a non-priviledged user, Ecartis
enables the user to
change his/her password, but does not ask for the old
one. The first time
I have seen this, I thought that the software relies
on the session
cookie, but it seems this is not the case. The html page contains the username in the "hidden"
fields. After saving
the page on disk, then replacing all "hidden" fields
with another username
which is defined in the server, and reloading the page
again we can try
our chance to change the password. Just fill in the
empty password fields
with a password of your choice, and click "Change
Password": there you
are... You have just reset the victim's password. I have not tested this on different versions, but I
guess it will work for
all of them. I would appreciate any comments on the issue. Regards,
Thank you for bringing this to our attention, it was fixed only a few hours after recieving this. The FreeBSD port (which I maintain) has also been updated Please use snapshot versions after 20030227, and make sure the FreeBSD port is update as well. -Trish Lynch - ecartis core team.
Current thread:
- Re: Ecardis Password Reseting Vulnerability Trish Lynch (Mar 03)