Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Multiple Vulnerabilities In Snitz Forums

From: JeiAr <jeiar () kmfms com>
Date: 16 Jun 2003 09:51:13 -0000


Multiple Vulnerabilities In Snitz 3.4.0.3
-------------------------------------------
Versions Affected: 3.4.0.3 (current) / Others?
Vendor Notification: Informed
Vendor Website: http://www.snitz.com



Product Description 
-------------------------------------------
Snitz Forums is a full-featured UBB-style ASP 
discussion board application. New features in version 3.3: 
Complete Topic/Post Moderation, Topic Archiving, Subscribe 
to Board / Category / Forum / Topic, Improved unsubscribe, 
Short(er) urls, Category and Forum ordering, and Improved 
Members-page. And like always, upgrading of the database is 
done for you by the setupscript



search.asp Search Feature XSS Vulnerability
-------------------------------------------
Snitz search feature is vulnerable to XSS which
can aide an attacker in stealing cookies, and thus
compromising the account, as described below

http://path/search.asp?Search=";>&lt;script&gt;alert()&lt;/script&gt;



Account Compromise Via Cookie Poisoning
-------------------------------------------
In order to steal another users identity, all an attacker 
needs to know is thier encrypted password. This is not
very hard to obtain using the XSS as described above, or
other methods. Once an attacker has this info, all they
have to do is login to thier normal account to get a valid
session id, close the browser, replace thier username and 
encrypted pass with that of the victim, and return to the 
site where they will be recognized as the victim.



password.asp Password Reset Vulnerability
-------------------------------------------
This is the most serious of the vulns, as it requries no
real effort and leaves the entire snitz forum open to attack.
All an attacker has to do is request a forgotten password, save
the password reset page offline,edit the member id to the desired
member id, and submit the form. The members password will then
be reset to that of the attackers choosing.



Credits
-------------------------------------------
Credits go to JeiAr of Gulftech Computers & 
CSA Security Rsearch http://www.gulftech.org
Previous By Date Next
Previous By Thread Next

Current thread: