[24069] in bugtraq
Vulnerability in all versions of DCForum from dcscripts.com
daemon@ATHENA.MIT.EDU (shimi)
Fri Feb 1 13:06:20 2002
Date: Fri, 1 Feb 2002 14:15:44 +0200 (IST)
From: shimi <shimi@jct.ac.il>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.GSO.4.33_heb2.09.0202011409210.22126-100000@beitza.jct.ac.il>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
When a user requests a new password for his account, a new password is
generated and sent to the requester (anyone that knows the username+email
information, which is usually available in "user profile").
The problem is that the password is simply the first 6 characters of the
user's SessionID, which is, of course, known to anybody who knows how to
see a value in a cookie.
Hence every user in the world can come to the board, request a new
password for someone, and then login with that username + 6 first
characters of the SessionID from the cookie.
The author has been notified (by me), and even released a patch, but, as
it appears, didn't bother saying that here, where most of the world will
be reading it, so I decided to do it myself.
Here's my post:
http://www.dcscripts.com/cgi-bin/dcforum/dcboard.cgi?az=read_count&om=1198&forum=dcfBug
And here's the patch:
http://www.dcscripts.com/bugtrac/DCForumID7/3.html
Best regards,
Shimi
----
"Outlook is a massive flaming horrid blatant security violation, which
also happens to be a mail reader."
"Sure UNIX is user friendly; it's just picky about who its friends are."
Sign that you downloaded Linux from a bad source:
"My compiler keeps hanging on NSABackdoor.h !!!"
