Vulnerability Development mailing list archives
En: ubb hole
From: Tiago Gava <tgava () TELESPCELULAR COM BR>
Date: Mon, 20 Nov 2000 03:03:39 -0200
----- Original Message ----- From: tdf To: tgava () telespcelular com br Sent: Monday, November 20, 2000 2:46 PM Subject: ubb hole ----------------------------------------------------------------------------------- Ultimate Bulletin Board - Private forums security hole, by tdf (tdf () linuxbr com br) ----------------------------------------------------------------------------------- Well, i can see any open topic inside a private forum (password protected) WITHOUT have the password. How? It's simple! Using the quote feature of the Ultimate Bulletin Board! Look this example: http://www.scriptkeeper.com/cgi-bin/postings.cgi?action=reply&forum=tdf&number=21&topic=000004.cgi&TopicSubject=tdf&replyto=0 Hmm, it's a Infopop's help forum, using the last version of UBB (5.73) This session of the forum is reserved for moderators only, and protected with a password. Put this url in your web browser and see it with your own eyes! I can see all open threads in this session of the forum just changing the number of the xxxxx.cgi, and all its replies changing replyto=XX You noted that I can quote a msg without give the password... The problem is there :) c-ya!
Current thread:
- En: ubb hole Tiago Gava (Nov 21)