Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

`admin' bug in upb

From: GooDWiN <badwin () rambler ru>
Date: Sun, 25 Aug 2002 18:20:13 +0400 (MSD)

product: Ultimate PHP Board (UPB) 
version: Public Beta 1.0b !!FIXED 
vendor: http://www.webrc.ca/php/upb.php
status: notified

------------------------------------------------
summary: upb allow to have two `admin' accounts, 
but witn different access levels. its may 
aply with spoofing attacks. 
------------------------------------------------
 i have been register `admin' account within install procedure. it is have 
`Admin' permissions. later i was register `admin' again with normal way (via 
register.php) and upb dont output some error. but THIZ `admin' have a `member' 
permissions. 

solution (from ewgenij_s () gmx de)
---------

in register.php change 

      $c = count($d)-2; 

      with 

      $c = count($d)-1; 


regardz,
GooDWiN /tF0KP
----------------------------
www.security-ru.net

___________________________
origin: i'm not a lame,
         not yet a hacker ))


----
  http://www.rambler.ru
Previous By Date Next
Previous By Thread Next

Current thread: