Full Disclosure mailing list archives

Re: Unauthorized access in Web Wiz Forum

From: KF <dotslash () snosoft com>
Date: Sat, 08 Nov 2003 17:43:59 -0500

This is the same thing some chump tryed yelling at me for (also justhappened to SCO's posts)... its caused by ccing bugtraq / full-disc /other mailing lists in the same message. When each list sends out themessage to its members it also gets resent to FD.


If you want to go to multiple lists try sending mails one by one...


-KF

Alexander Antipov wrote:

What's shit? I did not send this message again!

--------------------------------

Received: from NETSYS.COM ([199.201.233.10]:55737 "EHLO netsys.com"
smtp-auth:
<none> TLS-CIPHER: <none> TLS-PEER-CN1: <none>) by mail.yandex.ru
with ESMTP id <S687718AbTKFWoQ>; Fri, 7 Nov 2003 01:44:16 +0300
Received: from NETSYS.COM (localhost [127.0.0.1])
by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id hA6LbcG06235;
Thu, 6 Nov 2003 16:37:38 -0500 (EST)
Received: from mail.suretel.net (mail1.suretel.net [69.8.3.246])
by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id hA6LXI704437
for <full-disclosure () lists netsys com>; Thu, 6 Nov 2003 16:33:20 -0500
(EST)
Received: from mail pickup service by mail.suretel.net with Microsoft
SMTPSVC;
 Thu, 6 Nov 2003 15:32:18 -0600

--------------------------------

----- Original Message -----From: "Alexander Antipov" <pk95 () yandex ru>

To: <full-disclosure () lists netsys com>; <bugtraq () securityfocus com>
Cc: <info () webwizguide info>
Sent: Sunday, November 02, 2003 12:49 PM
Subject: [Full-disclosure] Unauthorized access in Web Wiz Forum

Unauthorized access in Web Wiz Forum

A vulnerability has found in  Web Wiz Forum (6.34, 7.01, 7.5). Remote user
(authenticated or not) can read message in private forum. Remote user can
post message in private forum.

Software does not compare message to forum, when "quote" mode is used. In
result, remote user (authenticated or not) can read and post message in
private forum, to which he hasn't access. Example:
User "A" has read and write access to Forum1 (FID=1) and no access to

Forum2

(FID=2) and message with PID=1111 (in topic TID=11) belong to

Forum2(FID=2).

User "A" has no access to topic TID=11 with message PID=1111. However,

user

can use "quote" mode for message PID=1111 with Forum1 (FID=1) (instead of
FID=2) to read the private message and answer to it, when use follow URL:

http://webwizforum/post_message_form.asp?mode=quote&PID=1111&FID=1&TID=11&TPN=1

(instead of PID=1111&FID=2&TID=11&TPN=1)

thanks to Tecklord, Pharaoh and other moderator of
http://Forum.SecurityLab.ru


Sorry for my poor English


Solution:

-- begin snip post_message_form.asp ----
'If this is a quoted message read in the message to be quoted
If strMode = "quote" Then

       'Get the number this thread is after
       intTotalNumOfThreads = Request.QueryString("NOP")

       'Get the return thread page
       intRecordPositionPageNum = Request.QueryString("TPN")

---  bug fix by pharaoh ----
      strSQL = "SELECT " & strDbTable & "Topic.Subject FROM " &

strDbTable

& "Topic "
       strSQL = strSQL & "WHERE " & strDbTable & "Topic.Forum_ID = " &
CLng(Request.QueryString("FID"))
       strSQL = strSQL & "AND " & strDbTable & "Topic.Topic_ID = " &
CLng(Request.QueryString("TID"))
       rsCommon.Open strSQL, adoCon
       If rsCommon.EOF Then
               rsCommon.Close
               Set rsCommon = Nothing
               Set adoCon = Nothing
               Set adoCon = Nothing
               Response.Redirect "insufficient_permission.asp"
       End If
       rsCommon.Close

       strSQL = "SELECT " & strDbTable & "Author.Author_ID, " &

strDbTable

& "Author.Username, " & strDbTable & "Thread.Message "
       strSQL = strSQL & "FROM " & strDbTable & "Thread INNER JOIN " &
strDbTable & "Author ON " & strDbTable & "Thread.Author_ID = " &

strDbTable

& "Author.Author_ID "
       strSQL = strSQL & "WHERE " & strDbTable & "Thread.Thread_ID = " &
CLng(Request.QueryString("PID"))
       strSQL = strSQL & "AND " & strDbTable & "Thread.Topic_ID = " &
CLng(Request.QueryString("TID"))

       rsCommon.Open strSQL, adoCon
       If rsCommon.EOF Then
               rsCommon.Close
               Set rsCommon = Nothing
               Set adoCon = Nothing
               Set adoCon = Nothing
               Response.Redirect "insufficient_permission.asp"
       End If
---  bug fix by pharaoh ----
-- end snip post_message_form.asp ----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Unauthorized access in Web Wiz Forum Alexander Antipov (Nov 02)
- Re: Unauthorized access in Web Wiz Forum Alexander Antipov (Nov 06)
  - Re: Unauthorized access in Web Wiz Forum KF (Nov 07)
    - Re: Unauthorized access in Web Wiz Forum Valdis . Kletnieks (Nov 07)
  - RE: Unauthorized access in Web Wiz Forum Mortis (Nov 09)