Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key).	Unauthorized Message Access in Web Wiz Forums 2 Nov. 2003    Summary Web Wiz Forums "is a free award winning ASP bulletin board system software, which can add value to almost any web site". A vulnerability in the product allows remote attackers to post messages into private forums, and read private messages found in private forums (all without having authorization to do so).   Credit: The information has been provided by Alexander Antipov. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable systems:  * Web Wiz Forums version 6.34  * Web Wiz Forums version 7.01  * Web Wiz Forums version 7.5 Immune systems:  * Web Wiz Forums version 7.51 The Web Wiz Forums does not verify whether someone is allowed access to the message or forum when "quote" mode is used. As a result, remote user (authenticated or not) can read and post messages in private forums, to which he does not have access to. Example:  * User "A" has read and write access to Forum1 (FID=1) and no access to Forum2 (FID=2)  * A message with PID=1111 (in topic TID=11) belong to Forum2 (FID=2)  * User "A" has no access to topic TID=11 with message PID=1111 However, user "A" can use "quote" mode for message PID=1111 with Forum1 (FID=1) (instead of FID=2), allowing him to read the private message and answer it. This is done by using the following URL: http://webwizforum/post_message_form.asp?mode=quote&PID=1111&FID=1&TID=11&TPN=1 (Instead of PID=1111&FID=2&TID=11&TPN=1) Solution: -- begin snip post_message_form.asp ---- 'If this is a quoted message read in the message to be quoted If strMode = "quote" Then         'Get the number this thread is after         intTotalNumOfThreads = Request.QueryString("NOP")         'Get the return thread page         intRecordPositionPageNum = Request.QueryString("TPN") --- bug fix by pharaoh ----        strSQL = "SELECT " & strDbTable & "Topic.Subject FROM " & strDbTable & "Topic "         strSQL = strSQL & "WHERE " & strDbTable & "Topic.Forum_ID = " & CLng(Request.QueryString("FID"))         strSQL = strSQL & "AND " & strDbTable & "Topic.Topic_ID = " & CLng(Request.QueryString("TID"))         rsCommon.Open strSQL, adoCon         If rsCommon.EOF Then                 rsCommon.Close                 Set rsCommon = Nothing                 Set adoCon = Nothing                 Set adoCon = Nothing                 Response.Redirect "insufficient_permission.asp"         End If         rsCommon.Close         strSQL = "SELECT " & strDbTable & "Author.Author_ID, " & strDbTable & "Author.Username, " & strDbTable & "Thread.Message "         strSQL = strSQL & "FROM " & strDbTable & "Thread INNER JOIN " & strDbTable & "Author ON " & strDbTable & "Thread.Author_ID = " & strDbTable & "Author.Author_ID "         strSQL = strSQL & "WHERE " & strDbTable & "Thread.Thread_ID = " & CLng(Request.QueryString("PID"))         strSQL = strSQL & "AND " & strDbTable & "Thread.Topic_ID = " & CLng(Request.QueryString("TID"))         rsCommon.Open strSQL, adoCon         If rsCommon.EOF Then                 rsCommon.Close                 Set rsCommon = Nothing                 Set adoCon = Nothing                 Set adoCon = Nothing                 Response.Redirect "insufficient_permission.asp"         End If --- bug fix by pharaoh ---- -- end snip post_message_form.asp ----  Comments:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Microsoft Indeo Codec Memory Corruption Vulnerability HP DDMI Execution of Arbitrary Code Microsoft Windows License Logging Service Heap Corruption Vulnerability Microsoft Office Excel Code Execution Vulnerabilities Microsoft SharePoint 2007 ASP.NET Source Code Disclosure Microsoft Windows Local Security Authority Integer Overflow Vulnerability Windows Kernel Multiple Vulnerabilities Microsoft Windows ActiveX Indexing Service Memory Corruption Vulnerability Microsoft IIS FTP Service Code Execution and DoS Vulnerability Microsoft GDI+ Multiple Vulnerabilities Microsoft .NET Common Language Runtime Multiple Vulnereabilities Microsoft Active Template Library ActiveX Controls Multiple Vulnerabilities ActiveX Active Template Library Initialization Vulnerability Internet Explorer Multiple Remote Code Execution Vulnerabilities Windows Media Player ASF File Remote Code Execution  Featured Articles Microsoft Embedded OpenType Font Engine Heap Buffer Overflow (MS09-029) Virtualmin Multiple Vulnerabilities Microsoft WordPad Word97 Converter Stack Buffer Overflow Vulnerability (MS09-010) WordPress Unchecked Privileges in admin.php and Multiple Information Disclosures Microsoft PowerPoint Conversion Filter Heap Corruption Vulnerability (MS09-017) Adobe Shockwave Player Director File Parsing Pointer Overwrite Mozilla Firefox Java Applet Loading Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®