Full Disclosure: Critical bug in Web Wiz Forum

["Alexander" <pk95 () yandex ru>]

Hi all and Bruce!

Ctrlbrk  found some critical bug in web wiz forum 7.х (Including last
public version 7.7а). 

1. SQL Injection in 
pop_up_ip_blocking.asp, line  113

  For each laryCheckedIPAddrID in Request.Form("chkDelete")  ← not
sanitized  

Must be 
 
For each laryCheckedIPAddrID in Cint(Request.Form("chkDelete"))

In result, remote user may manipulate SQL query and access to any user
account (User_code in tblAuthor table). Forum also allows to change password
without knowledge old password. 

2. Unauthorized access in pop_up_topic_admin.asp when update topic status:

Line 115: If blnAdmin = False Then blnModerator = isModerator(intForumID,
intGroupID) <-- blnModerator=false if user is not moderator and all! 

Must be:
If blnAdmin = False Then blnModerator = isModerator(intForumID, intGroupID)
If blnAdmin = False AND blnModerator = False Then 
 
Response.Write("<div align=""center"">") 

Response.Write("<span class=""lgText"">" & strTxtAccessDenied & "</span><br
/><br /><br />") 

Response.Write("</div>") 
End If

In result, remote unauthorized user may manipulate Topic status - Change
name of topic, close topic, move topic ...

3. Unauthorized admin Topic in  pop_up_ip_blocking.asp
Line 107: If blnAdmin = False Then blnModerator = isModerator(intForumID,
intGroupID) 

Must be:
If blnAdmin = False AND blnModerator = False Then 
 
Response.Write("<div align=""center"">") 

Response.Write("<span class=""lgText"">" & strTxtAccessDenied & "</span><br
/><br /><br />") 

Response.Write("</div>") 
End If

In result, remote unauthorized user may block any IP address.



Pig Killer
www.SecurityLab.ru
www.Seclab.ru
www.Securityfocus.ru


Special thanks to Ctrlbrk



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html