Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Insufficient Authorization vulnerability in Act
From: "MustLive" <mustlive () websecurity com ua>
Date: Sun, 1 Sep 2013 20:37:53 +0300

Hello list!

This is Insufficient Authorization vulnerability in Act. It is conference
software on Perl.

Besides Insufficient Authorization, there are a lot of other vulnerabilities
in Act.

Affected products:

Vulnerable are all versions of Act (they fixed this hole at July 27, 2013).
The developers don't use version numbers for their software.

Affected vendors:

Act - A Conference Toolkit


Insufficient Authorization (WASC-02):


Any authenticated user can edit arbitrary talks (by setting id). And also to
delete them (via edit function).

This vulnerability can be used to sabotage conference by deleting all talks.

2013.07.14 - informed organizers of YAPC::Europe 2013, on which site I've
found this and other holes. They ignored to fix this and all other holes at
their site (which they had for 10 years while use Act), arguing that
developers of Act should do that and they don't care about security of their
2013.07.14 - informed Act developers. They hadn't answered.
2013.07.16 - announced at my site.
2013.07.27 - developers fixed this vulnerability (without answering and
2013.08.29 - disclosed at my site (http://websecurity.com.ua/6657/).

Best wishes & regards,
Administrator of Websecurity web site

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Insufficient Authorization vulnerability in Act MustLive (Sep 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]