[30714] in bugtraq
ZH2003-4SA (security advisory): ASP-DEV Discussion Forum V2.0
daemon@ATHENA.MIT.EDU (G00db0y)
Sat Jul 12 18:53:59 2003
Date: 12 Jul 2003 14:38:36 -0000
Message-ID: <20030712143836.25018.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: G00db0y <G00db0y@zone-h.org>
To: bugtraq@securityfocus.com
ZH2003-4SA (security advisory): ASP-DEV Discussion Forum V2.0
Published: 12/07/2003
Released: 12/07/2003
Name: ASP-DEV Discussion Forum V2.0
Affected Systems: All versions
Issue: Remote attackers can obtain users information (including passwords)
Author: G00db0y@zone-h.org
Description
***********
Zone-h Security Team has discovered a serious security flaw in all
versions of
ASP-DEV Discussion Forum "with many updated features, bug fixes and code
enhancements."
Details
*******
ASP-DEV Discussion Forum V2.0 is an ASP forum system that covers all the
needs for a forum.
It's possible to retrieve sensible users information. There is an
administrative
section for administrating this forum. This section is located here:
http://www.example.com/forum/admin/ (if forum is the installation dir of
the forum)
By default this page isn't restricted, so everyone can be the
administrator of this
forum. Everyone can see every password and every users information.
Solution:
*********
The vendor has been contacted and a patch is not yet produced
Suggestions:
************
Protect the admin directory.
G00db0y - www.zone-h.org admin
Original advisory here: http://www.zone-h.org/en/advisories/read/id=2685/
