Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Vulnerability in all versions of DCForum from dcscripts.com
From: David Choi <dcscripts () yahoo com>
Date: Fri, 1 Feb 2002 10:39:54 -0800 (PST)

Let me add that this doesn't affect older versions of
DCForum (DCF99, 98, 97) as those features do not
include retrieving password feature.

Thanks.

David S. Choi
DCScripts.com


--- shimi <shimi () jct ac il> wrote:

When a user requests a new password for his account,
a new password is
generated and sent to the requester (anyone that
knows the username+email
information, which is usually available in "user
profile").

The problem is that the password is simply the first
6 characters of the
user's SessionID, which is, of course, known to
anybody who knows how to
see a value in a cookie.

Hence every user in the world can come to the board,
request a new
password for someone, and then login with that
username + 6 first
characters of the SessionID from the cookie.

The author has been notified (by me), and even
released a patch, but, as
it appears, didn't bother saying that here, where
most of the world will
be reading it, so I decided to do it myself.

Here's my post:

http://www.dcscripts.com/cgi-bin/dcforum/dcboard.cgi?az=read_count&om=1198&forum=dcfBug

And here's the patch:
http://www.dcscripts.com/bugtrac/DCForumID7/3.html

  Best regards,
     Shimi


----

   "Outlook is a massive flaming horrid blatant
security violation, which
    also happens to be a mail reader."

   "Sure UNIX is user friendly; it's just picky
about who its friends are."

    Sign that you downloaded Linux from a bad
source:
    "My compiler keeps hanging on NSABackdoor.h !!!"



__________________________________________________
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions! 
http://auctions.yahoo.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]