Ecardis Password Reseting Vulnerability

[Haluk AYDIN <haydin () biznet com tr>]

Hi,

I don't know if someone has discovered this before but Ecartis 1.0.0 
(former listar) contains a vulnerability that enables an attacker to reset 
passwords of any user defined on the list server, including the list 
admins. 

After logging on as a non-priviledged user, Ecartis enables the user to 
change his/her password, but does not ask for the old one. The first time 
I have seen this, I thought that the software relies on the session 
cookie, but it seems this is not the case. 

The html page contains the username in the "hidden" fields. After saving 
the page on disk, then replacing all "hidden" fields with another username 
which is defined in the server, and reloading the page again we can try 
our chance to change the password. Just fill in the empty password fields 
with a password of your choice, and click "Change Password": there you 
are... You have just reset the victim's password.

I have not tested this on different versions, but I guess it will work for 
all of them. I would appreciate any comments on the issue.

Regards,