Re: Ecardis Password Reseting Vulnerability

[Trish Lynch <trish () bsdunix net>]

In-Reply-To: <20030227071424.25278.qmail () www securityfocus com>

> Received: (qmail 11401 invoked from network); 27 Feb
2003 16:13:51 -0000
> Received: from outgoing2.securityfocus.com (HELO
outgoing.securityfocus.com) (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 27 Feb 2003
16:13:51 -0000
> Received: from lists.securityfocus.com
(lists.securityfocus.com [205.206.231.19])
>
by outgoing.securityfocus.com (Postfix) with QMQP
>
id EE0608F2AB; Thu, 27 Feb 2003 08:46:22 -0700 (MST)
> Mailing-List: contact bugtraq-help () securityfocus com;
run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq () securityfocus com>
> List-Help: <mailto:bugtraq-help () securityfocus com>
> List-Unsubscribe:
<mailto:bugtraq-unsubscribe () securityfocus com>
> List-Subscribe:
<mailto:bugtraq-subscribe () securityfocus com>
> Delivered-To: mailing list bugtraq () securityfocus com
> Delivered-To: moderator for bugtraq () securityfocus com
> Received: (qmail 26239 invoked from network); 27 Feb
2003 07:19:07 -0000
> Date: 27 Feb 2003 07:14:24 -0000
> Message-ID:
<20030227071424.25278.qmail () www securityfocus com>
> Content-Type: text/plain
> Content-Disposition: inline
> Content-Transfer-Encoding: binary
> MIME-Version: 1.0
> X-Mailer: MIME-tools 5.411 (Entity 5.404)
> From: Haluk AYDIN <haydin () biznet com tr>
> To: bugtraq () securityfocus com
> Subject: Ecardis Password Reseting Vulnerability
>
>
>
> Hi,
>
> I don't know if someone has discovered this before but
Ecartis 1.0.0 
> (former listar) contains a vulnerability that enables
an attacker to reset 
> passwords of any user defined on the list server,
including the list 
> admins. 
>
> After logging on as a non-priviledged user, Ecartis
enables the user to 
> change his/her password, but does not ask for the old
one. The first time 
> I have seen this, I thought that the software relies
on the session 
> cookie, but it seems this is not the case. 
>
> The html page contains the username in the "hidden"
fields. After saving 
> the page on disk, then replacing all "hidden" fields
with another username 
> which is defined in the server, and reloading the page
again we can try 
> our chance to change the password. Just fill in the
empty password fields 
> with a password of your choice, and click "Change
Password": there you 
> are... You have just reset the victim's password.
>
> I have not tested this on different versions, but I
guess it will work for 
> all of them. I would appreciate any comments on the issue.
>
> Regards,


Thank you for bringing this to our attention, it was
fixed only a few hours after recieving this.

The FreeBSD port (which I maintain) has also been updated

Please use snapshot versions after 20030227, and make
sure the FreeBSD port is update as well.

-Trish Lynch - ecartis core team.