[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Ecardis Password Reseting Vulnerability
From: Haluk AYDIN <haydin () biznet ! com ! tr>
Date: 2003-02-27 7:14:24
[Download RAW message or body]
Hi,
I don't know if someone has discovered this before but Ecartis 1.0.0
(former listar) contains a vulnerability that enables an attacker to reset
passwords of any user defined on the list server, including the list
admins.
After logging on as a non-priviledged user, Ecartis enables the user to
change his/her password, but does not ask for the old one. The first time
I have seen this, I thought that the software relies on the session
cookie, but it seems this is not the case.
The html page contains the username in the "hidden" fields. After saving
the page on disk, then replacing all "hidden" fields with another username
which is defined in the server, and reloading the page again we can try
our chance to change the password. Just fill in the empty password fields
with a password of your choice, and click "Change Password": there you
are... You have just reset the victim's password.
I have not tested this on different versions, but I guess it will work for
all of them. I would appreciate any comments on the issue.
Regards,
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic