Full Disclosure mailing list archives
Critical bug in Web Wiz Forum
From: "Alexander" <pk95 () yandex ru>
Date: Fri, 30 Apr 2004 23:17:18 +0400
Hi all and Bruce! Ctrlbrk found some critical bug in web wiz forum 7.х (Including last public version 7.7а). 1. SQL Injection in pop_up_ip_blocking.asp, line 113 For each laryCheckedIPAddrID in Request.Form("chkDelete") ← not sanitized Must be For each laryCheckedIPAddrID in Cint(Request.Form("chkDelete")) In result, remote user may manipulate SQL query and access to any user account (User_code in tblAuthor table). Forum also allows to change password without knowledge old password. 2. Unauthorized access in pop_up_topic_admin.asp when update topic status: Line 115: If blnAdmin = False Then blnModerator = isModerator(intForumID, intGroupID) <-- blnModerator=false if user is not moderator and all! Must be: If blnAdmin = False Then blnModerator = isModerator(intForumID, intGroupID) If blnAdmin = False AND blnModerator = False Then Response.Write("<div align=""center"">") Response.Write("<span class=""lgText"">" & strTxtAccessDenied & "</span><br /><br /><br />") Response.Write("</div>") End If In result, remote unauthorized user may manipulate Topic status - Change name of topic, close topic, move topic ... 3. Unauthorized admin Topic in pop_up_ip_blocking.asp Line 107: If blnAdmin = False Then blnModerator = isModerator(intForumID, intGroupID) Must be: If blnAdmin = False AND blnModerator = False Then Response.Write("<div align=""center"">") Response.Write("<span class=""lgText"">" & strTxtAccessDenied & "</span><br /><br /><br />") Response.Write("</div>") End If In result, remote unauthorized user may block any IP address. Pig Killer www.SecurityLab.ru www.Seclab.ru www.Securityfocus.ru Special thanks to Ctrlbrk _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Critical bug in Web Wiz Forum Alexander (Apr 30)