mailing list archives
Re: Authentication flaw in Web Wiz forum
From: Bruce Corkhill <bruce () webwizguide info>
Date: Tue, 02 Mar 2004 21:36:09 +0000
Yet again!! Alexander aka. Pig Killer and Michael have posted an incorrect
security bug report without first fully testing there findings first.
The security flaw reported below is incorrect as they state that the user
code stored in a cookie is not changed when the password for an account is
changed, this is incorrect as the user code is changed often including when
the user changes his/her password, unless the forum admin changes the
password then the user code is not changed so the user doesn't have to log
back in if they request a new password from the forum admin. This maybe be
changed in the next version so even if the admin change a password the user
code is updated.
At 21:20 02/03/2004, you wrote:
Product: Web Wiz forum 7.0-7.7a www.webwizforum.com
Date: 02 March, 2004
Autor: Pig Killer and Michael ( www.SecurityLab.ru)
When user log on forum, for his cookies identification forum using User_code
value from tblAutor table from underlying database, which doesn't change
with changing of password. As a result, when user change password, he can
register in the forum using old cookies. As a result, if users cookies was
compromised (for example by XSS), then even password changing will doesn't
protect his account from unauthorized using.
The forum also allows logged in user to change the password without entering
the old one. Thus, having cookie, you can change the password without
knowing the old one.
Full-Disclosure - We believe in it.