Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Ecardis Password Reseting Vulnerability
From: Trish Lynch <trish () bsdunix net>
Date: 3 Mar 2003 17:37:05 -0000

In-Reply-To: <20030227071424.25278.qmail () www securityfocus com>

Received: (qmail 11401 invoked from network); 27 Feb
2003 16:13:51 -0000
Received: from outgoing2.securityfocus.com (HELO
outgoing.securityfocus.com) (205.206.231.26)
 by mail.securityfocus.com with SMTP; 27 Feb 2003
16:13:51 -0000
Received: from lists.securityfocus.com
(lists.securityfocus.com [205.206.231.19])

by outgoing.securityfocus.com (Postfix) with QMQP

id EE0608F2AB; Thu, 27 Feb 2003 08:46:22 -0700 (MST)
Mailing-List: contact bugtraq-help () securityfocus com;
run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq () securityfocus com>
List-Help: <mailto:bugtraq-help () securityfocus com>
List-Unsubscribe:
<mailto:bugtraq-unsubscribe () securityfocus com>
List-Subscribe:
<mailto:bugtraq-subscribe () securityfocus com>
Delivered-To: mailing list bugtraq () securityfocus com
Delivered-To: moderator for bugtraq () securityfocus com
Received: (qmail 26239 invoked from network); 27 Feb
2003 07:19:07 -0000
Date: 27 Feb 2003 07:14:24 -0000
Message-ID:
<20030227071424.25278.qmail () www securityfocus com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: Haluk AYDIN <haydin () biznet com tr>
To: bugtraq () securityfocus com
Subject: Ecardis Password Reseting Vulnerability



Hi,

I don't know if someone has discovered this before but
Ecartis 1.0.0 
(former listar) contains a vulnerability that enables
an attacker to reset 
passwords of any user defined on the list server,
including the list 
admins. 

After logging on as a non-priviledged user, Ecartis
enables the user to 
change his/her password, but does not ask for the old
one. The first time 
I have seen this, I thought that the software relies
on the session 
cookie, but it seems this is not the case. 

The html page contains the username in the "hidden"
fields. After saving 
the page on disk, then replacing all "hidden" fields
with another username 
which is defined in the server, and reloading the page
again we can try 
our chance to change the password. Just fill in the
empty password fields 
with a password of your choice, and click "Change
Password": there you 
are... You have just reset the victim's password.

I have not tested this on different versions, but I
guess it will work for 
all of them. I would appreciate any comments on the issue.

Regards,



Thank you for bringing this to our attention, it was
fixed only a few hours after recieving this.

The FreeBSD port (which I maintain) has also been updated

Please use snapshot versions after 20030227, and make
sure the FreeBSD port is update as well.

-Trish Lynch - ecartis core team. 


  By Date           By Thread  

Current thread:
  • Re: Ecardis Password Reseting Vulnerability Trish Lynch (Mar 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]